As software development transitions away from waterfall workflows to more Agile and iterative practices, there is a growing perception that artifact (document and code) review is not as critical - we're responding to change instead of following a plan!
When it comes to software quality, we all think we know the difference between good and bad code. Customers often ask us to perform one-off code reviews, typically when taking on a code base or when a new CTO arrives!
Whilst one-off code review is useful, the real value of regular code reviews is in maintaining the long-term quality of the code base. Here, we outline how we define code quality, how we go about reviewing and measuring it, and lastly, how this links through to technical debt management.
In the context of software engineering, software quality can be split into two distinct areas:
Whilst one-off code review can take a snapshot of code quality, an effective code review process aligned with the software development or maintenance approach is key to ensuring the long-term quality of the code base. Shift left is a practice intended to find and prevent defects early in the software development process. Like testing, code reviews are of paramount importance in ensuring good code and providing a way to locate problems as early as possible as well as ensuring the consistency and reliability of the software. The earlier you find errors, the faster, easier, and cheaper they are to resolve.
SmartBear Software conducted a global online survey in 2020. The respondents rated code reviews as the best way to boost code quality.
Additionally, more than 80% of developers surveyed said satisfaction with code review processes is directly linked to confidence in the overall quality of software released.
Code reviews can be conducted in a variety of ways, including manual reviews, pair programming, mentoring and the use of shared documents for easy review. Whilst all these methods are effective, they can be very time consuming - this is where tools come in.
Code review tools provide a way to automate the process, and like test automation support more frequent and earlier reviews. The tool we most use is SonarQube.
Code quality and security are similar in that both types of issues can be identified with static analysis. Static Application Security Testing (SAST) tools are designed to analyse source code or compiled versions of code to help find; bugs, vulnerabilities and code smells.
Such tools enable our software engineers to discover security vulnerabilities (using OWASP Top Ten) early and often in real time as they write code. These tools are now integrated into the development environments (IDE) we use, such as, Visual Studio.
Static code review tools also help developers to understand structural quality and to follow coding standards. Using Continuous Integration tools allows for automatic triggering of checking against coding standards and code smells. This can give developers immediate feedback, decreasing the chance of errors and bugs getting into production.
One of the advantages of producing quality code from the first iteration is that it reduces technical debt. High quality code may take longer initially to produce but will result in less bug fixing and refactoring and can reduce or remove the long-term pain of technical debt. High quality code makes long-term development and maintainability easier and (critically for customers) cheaper.
Our approach to increasing code quality is to continuously track and prioritise technical debt so that we can make the business case to refactor the most important parts of the client's code base.
Learn more about the NashTech approach or arrange a call to discuss how we can help, email: info@nashtechglobal.com.?