Current practices and Impact of Code review practices in Top Companies
Have you ever wondered how top software companies worldwide ensure high-quality code by implementing different code review practices? A study performed by the IBM System Science Institute determined that the relative cost to fix defects within the SDLC increase by multiple times as the defect moves from one stage to another. Relative costs of fixing defects are 15 times more if they are found during the testing and 100 times more expensive if they are found post-release.
If a vulnerability scan of any software is delayed or done in late SDLC, the time and energy needed to mitigate the issues are expensive. It is advised that the standards to follow and the methods to implement for maintaining the software quality must be discussed in the initiation of the process to better understand quality threats to a system and consistency risks to a system. The specification and development efforts will then be driven by a predictable process.
Adapting and implementing lightweight secure code review, thanks to automated code review tools is now normal practice for most companies today. Companies like Google and Microsoft introduced code review practices early on and are still perfecting them over the years.
We investigated various code review methods adapted by top companies of the world to get an insight into their current practices:
- Microsoft utilizes CodeFlow, which tracks the condition of every individual (writer or analyst) and where they are all the while (closed down, pausing, evaluating). This is a sophisticated instrument for code review that assists and directs developers through all phases of a code review. According to a study by Dr. Michaela Greiler, a developer at Microsoft spends 30% of their time on code reviews on average every week. So, it is important to make sure that this time is spent worthwhile. Click To Tweet
- Google’s Chromium project (alongside a few other OSS projects) depends on the externally accessible Gerrit, in Chromium. Changes are merged into the branch after the reviewer approves the patches and code quality tools confirm that the change doesn’t breaks the build. At Google the primary purpose of code review is to ensure that Google’s code health improves over time. All the code review tools and processes are designed for this purpose.
According to The Googles Standards of Code Review “Firstly, developers need to be able to build their assignments. If the developers never submit a codebase enhancement, then the codebase never grows. Also, if a reviewer makes it very hard for any change to take place, then developers are disincentivized to make future improvements. A reviewer also has ownership and liability over the code they are reviewing. They want to ensure that the codebase remains stable, maintainable and consistent. In general, reviewers should favor authorizing a CL until it is in a condition in which the overall code health of the device being operated on is certainly enhanced, even though the CL is not flawless.”~ You can read more about Google’s code review recommendations here.
- Facebook’s code audit framework Phabricator, permits analysts to “take over” a change and commit it themselves and provides hooks for automatic static analysis or continuous build/test integration. Subjective examinations have been likewise directed to characterize what establishes a decent code survey as indicated by modern and OSS designers. In reality, with a series of command-line tools named Arcanist, Phabricator does go beyond the web. It allows Facebook developers to run unit tests, merge updates, search for code syntax errors, and even extend Arcanist to include additional commands.
- At Netflix, Spinnaker is used as their global continuous delivery platform. The code goes through a number of steps that need to happen before a line of code makes it way into Spinnaker. Firstly code is built and tested locally using Nebula. Then changes are committed to a central git repository. A Jenkins job executes Nebula, which builds, tests, and packages the application for deployment. Builds are “baked” into Amazon Machine Images. Spinnaker pipelines are used to deploy and promote the code change.
- Amazon uses an automated robotic approver like CodeGrip to approve the code before it gets to preproduction. Once the code is in pre-production Amazon’s CodeGuru an ML tool allows building and run Built-in code reviews with intelligent recommendations. It detects and optimizes the expensive lines of code pre-production. Easily identifying application inefficiencies in the production environment along with AWS CodeCommit integrated with “Approval Rules” that must be met before a pull request can be merged.
The common CI/CD-based code audit model prevalent at most companies
While companies like Google, Microsoft, Apple etc have created their own tools to suit their SDLC, the most common process for automating code reviews followed by companies is using review tools within their deployment pipeline.
A developer wanting to make a change forks an existing git repository and then makes changes in their branch. It appears in the list of pull requests for the project in question, visible to anyone who can see the project after a pull request has been sent out. The automated code review tool analyzes the code from the branch and provides the reviewer with the static code analysis which the reviewer can refer to for approving or disapproving review.
A static code analysis within the development pipeline is a valuable method to have code reviews consistently. The static code review provides answers on code correctness, readability, performance, test coverage, vulnerabilities etc.
Summary
A stable SDLC has all the operations and security measures needed to build a compatible version. Once the process is stable, the results are predictable too. This is the reason, the common theme for all top companies is the proactive approach to build automation around code reviews and a penchant to check bugs before they impact the product.
To really avoid, detect and minimize exploitable vulnerabilities within established systems, a competent workforce and stable software policies and controls are needed. Protection is not only a necessity for the network, it is now a requirement for information management, which requires the creation of all applications to transmit, process, and control information.
Now you can get started with automating your code review process.
Sign Up with Codegrip and get started for Free!
Liked what you read? Subscribe and get fresh updates.
P.S. Don’t forget to share this post.