Building Better Developers

Detailed Notes

Code reviews are starting to become more common in enterprise development. Dev Ops and related automation have helped shine the light on improving quality and reliability in our processes. This presentation looks at how we can set our teams up for success in code reviews through better and consistent processes.

Code Reviews In Detail There is a time and place for code reviews. Likewise, there are ways to approach these complex tasks that can make the most of both our time and resources. Nevertheless, this process does not come without cost. Therefore, we need to be intentional in our approach and requirements to craft better code and provide a path for building better developers.

The Mentor-Mastermind Group This series comes from our mentoring/mastermind classes. These classes are virtual meetings that focus on how to improve our technical skills and build our businesses. The goals of each member vary. However, this diversity makes for great discussions and a ton of educational value every time we meet. We hope you enjoy viewing this series as much as we enjoy creating it. As always, this may not be all new to you, but we hope it helps you be a better developer. Drop us a line to find out when the next one is so you can join our group.

Transcript Text

[Music]
so costs i've been very
positive on on code reviews and i
that is definitely i'm you know
truth be told that is the purpose of
this presentation but there are costs
and you have to
understand those you have to take those
into account
because there is a there's a there's a
give and take and in a given environment
or a given solution
it may be that the costs
are higher than the benefits uh they
outweigh the benefits of the code review
and a lot of times that may be because
of the
the structure or the timing of your code
review
so think about and while we're doing
this we go back to the oops code review
points
um where did that go
oh here we go
if you go to these like if if you do
your code review you could do it on code
command before you deploy part of a
release and as a retrospective
so there could be multiple points where
you're reviewing code you could
technically actually
review code the same code multiple times
depending on how you do stuff
i recommend against that but
those are the kinds of things where
where your code review points are
those will impact how to some extent
they may magnify or minify some minimum
minimize some of these code review
costs now the first and the probably the
most obvious is your time spent
if you add a code review into your
process
that time is going to be added into your
process it's there's no ifs ands or buts
that's like pure physics at that point
if you
are going to say
we're going to do code reviews that
takes time therefore that time is time
that your resources could have spent
doing other stuff
it may be time that you're tacking on
before a release
but bottom line is
there's going to be a cost of time and
depending on how you do your your code
reviews it could be the cost of
for example like say you've got a 10
person team
if all 10 people
are involved in every code review
the whole team is spending that time
if
you have it set up so only let's say two
or three people are involved in a given
code review then that's going to change
your cost a little bit
so it needs you need to be aware of it
but also realize that there are
process things you can do that can help
adjust for those at least to take that
account to some extent and maybe
minimize the cost
or at least at least make it easier to
swallow
uh slower quote slower code deployment
and that is because typically we're
going to do a code review after
we've written code so somewhere from the
writing code to the deployment step
we're going to enter we're going to put
in a code review process
and that's going to slow
the deployment because at some point
we're waiting for code reviews to be
done and waiting to go through the code
review process before you deploy
that one if you just wait until after a
deployment and do your code review
you could avoid that particular cost but
that does mean that you're going to be
slower to start your next
deployment cycle so
you're just sort of shifting time it's
still going to slow that down
something that i'd
it goes back to the personal
view of your code
it can
you can end up in a situation where
you're basically doing defensive
programming
and this is where sometimes this goes
back to sometimes
the the value of
uh this is what you know sort of the
cathedral versus bizarre and stuff like
that
sometimes a single person is going to be
a little more comfortable with maybe
we'll say like the 80 20 rule that
they're they're gonna they can get in
they can write their code they see the
problem they see a solution
you're done
but when you open that up to review when
you have a committee or other people
that are now taking a look at that
then their varying
levels of risk acceptance
may change what is acceptable for that
code
and this would be defensive programming
is that you can get into conversations
where
you are
trying to take into account outliers
that almost never happen
and so you end up spending a lot of time
trying to address a situation that
almost never happens and that maybe
is not that big a deal
sometimes you look at stuff and it is
in the long run better to allow the
application to crash once in a blue moon
when all you have to do is restart it as
opposed to spending hours and hours
reviewing the code adjusting it and
trying to check for a bunch of
situations that may not occur
particularly if those checks
are a cost to that process every time
it's run
and if you think on a big scale think of
like batch
data loads or exports
probably load is more commonly something
where
if you're loading millions of records
and each record you want to go in and do
a bunch of checks to make sure if all of
the values are valid and that they're
unique within the system and things like
that you may have to
but in a lot of cases you don't not at
that point anyways
so instead of the cost of all of those
validations being part of the import
process you can put them somewhere else
where they do not multiply because of
just the number of records you're
dealing with
you know more simpler uh maybe a more
simpler example
that's why when you do triggers in a
database it's often
you know and in some similar kinds of
things it's or actually any real
transaction
you want it to be as minimal as possible
if you're locking stuff up because you
want to minimize the time that you are
locking the data that you're working
with it sort of makes sense
the cost from a code review with this
defensive programming is that sometimes
you may overthink
a solution and you end up providing you
know the the maserati when you could
have gotten away with ikea it's you know
not to
be
besmirch any of those products but
to just say that you know sometimes
we over architect our solution and code
review can sometimes lead to that
so that's something that has to be
considered as part of your
your environment and how you approach a
code review is to try to do it so that
you don't end up in this sort of
defensive programming approach to
solving problems and also that you just
don't overthink your solutions
the code review itself has a cost
but
preparing for a review
looking to review documenting it
just the mental
switch to go from writing code to
reviewing code there's a cost for that
and so you you want to make sure you
factor that in
uh just like anything else just you want
to make sure that when you're
trying to get to the bottom line of is
this going to cost more than it's worth
fully thinking through what what are all
the things that impact the cost what is
it what is the true cost of this
so now that
all of that being said let's talk about
how do we do this and maybe build a
habit
so it all comes down to
attention to details
that's really what a code review is is
it's we're not going to just write code
and throw it over the wall and see what
happens
it's we're going to write code but we're
going to really we're going to take a
you know write it take a moment take a
deep breath take a look at it
maybe make some adjustments and then
move forward
so if you want to build a habit
the first thing is you've got to start
somewhere
so pick a place
and set a process this may be personal
it may be something where you're just i
mean you couldn't even do this with
yourself it's just a personal code
review i'm going to write code but i'm
going to go back and take a look at it
before i move it forward
in an organization it's much more
once code gets to point a whatever
that's going to be that's going to be
our code review
checkpoint
then
we're going to say there's this process
that is code review and we're going to
put that into place
if you're a development shop that
already exists
then you want to do that really for the
new changes to code you don't want to
try to go back and code review you know
millions and millions of lines of code
you don't want to try to go back and
code review all that stuff
you start by saying okay we didn't do a
code review in the past so the next
second best time to start it is now
and so we're going to pick a point and
we're say we're going to start this in
any new code
we're going to we're going to do a code
review process and that's that could be
newly written code or even changes to
code is that we're going to and
changes to code can be far reaching so
we're going to have to talk a little bit
about scope
of what
is included in that code review
because it could be that you want change
five lines of code in a file that has
10 000 lines of code in it and you don't
necessarily want to go back and code
review all of that uh this that's
probably an argument to not have a file
that has 10 000 lines of code in it but
that's an argument for a different day
so start by saying all right we're going
to
code review changes when there's code
changes we're going to do code reviews
moving forward
you want to build into that process a
a flow
to a code review
that makes it easy to
surface and address
corrections and updates
you want to have it be something where
you can go through a code review there
is a very well-defined list of
of changes agreed upon changes
and then
it's essentially a
continuation of that process to
assign those changes back to the
developer developer can change them you
can have a
sort of a
a shorter code review process like a
a verification code review that says yep
you made these changes i'm i'm good with
that maybe do a quick look to make sure
that nothing else changed as part of
that
and then that flows forward and now your
your code is
reviewed
it will help immensely to have some sort
of metric
or set of metrics that you can use to
measure your progress uh we're going to
talk a little bit about some of the
tools that can provide these things that
are essentially there they're roughly
scores on your code so you can take a
look at it and you can see over time
hopefully how your scores get better
this may also be things that are much
more bottom line driven
it may be customer acceptance scores it
may have to do with bug reports it may
have to do with system downtime
all of those things and actually the
more the better the more metrics you
have
the more details you have to look into
what was life like you know sort of a
baseline of what was it before we did
the code reviews and what is it after we
do the code reviews
because even though we've looked at all
these pros and cons and costs and
and value
the bottom line metrics for your
organization are going to be the best
measure of how does this work for us
and
is it working for us
because
if it's not it may be that it's not
going to work at all it may be how you
do it
but it's like everything else if you
don't measure it then it's going to be
really hard to figure out how to change
it and improve it
once you get these things into place
there's a point where
it would be useful and you may want to
be able to is maybe use some tools or
automated tools or something like that
just because of the time required
and go back and review your legacy code
and again some of the tools i'm going to
point you to are great ways to do this
is you can go back and look at stuff
that you wrote last year 10 years ago
in a different language whatever
and see how they stack up
and and you may want to go through and
improve
that older code as well try to make some
changes
and
and figure a way to get that to have a
better uh so you have like a better
baseline essentially
and then as you're going through this
the bottom line at the end you sort of
get down to it and you say all right
we're doing these things we've made some
changes we're making corrections we're
measuring this we've even looked at some
of our legacy code
you're going to be able to improve so as
you start building that data up take a
look at those metrics
take a look at where you can maybe make
improvements
you may even be able to do sort of a b
testing make some improvements and see
if that affects the metrics in the way
that you want it to
and it may be that you change your
process and suddenly the metrics look
worse
so maybe it's time to examine that
process and say what did we change
that maybe caused this problem
or if you see within those metrics
depending on how detailed they are you
may be able to see where there's there
are strengths and weaknesses to what you
do and so
you maybe look at how can we
offset some of those weaknesses in our
process
and i know these are a little
vague
as far as the details of the code review
itself but
that really does come down to
uh beyond bugs are sort of easy
like everybody it doesn't work it
doesn't work we've got to fix it
but when you get down to coding
standards and maintainability
uh also requirements in certain certain
industries you know like if you're in
healthcare or finance
there are your code review is different
there are certain things that are
that you're going to have to take in
account that take into account that you
wouldn't otherwise if i write a little
app that's a i don't know a to-do list
app there's a whole lot of stuff i don't
have to deal with if you write a little
app that is talking to a doctor and
exchanging personal health information
there's a lot of stuff that you have to
do
for that to
be legal you know to avoid fines and
things like that so
your industry and your
uh even the way really your leadership
of your it group can greatly
impact what a code review really needs
to be so
those are things that you have to
unfortunately
you can have some guidelines again some
of the tools we're going to look at and
provide you some baselines for that
but your organization itself needs to
know what it needs
in order to do it right
so look at it
you

Transcript Segments

1.35

[Music]

28.72

so costs i've been very

31.519

positive on on code reviews and i

34.8

that is definitely i'm you know

36.719

truth be told that is the purpose of

38.399

this presentation but there are costs

40.719

and you have to

43.2

understand those you have to take those

45.12

into account

46.32

because there is a there's a there's a

give and take and in a given environment

50.399

or a given solution

52.8

it may be that the costs

54.96

are higher than the benefits uh they

57.28

outweigh the benefits of the code review

59.359

and a lot of times that may be because

61.68

of the

62.879

the structure or the timing of your code

65.04

review

66.64

so think about and while we're doing

68.64

this we go back to the oops code review

71.119

points

72.72

um where did that go

78.56

oh here we go

79.759

if you go to these like if if you do

81.6

your code review you could do it on code

83.439

command before you deploy part of a

84.96

release and as a retrospective

87.28

so there could be multiple points where

88.88

you're reviewing code you could

90.96

technically actually

92.56

review code the same code multiple times

94.799

depending on how you do stuff

97.28

i recommend against that but

99.6

those are the kinds of things where

101.28

where your code review points are

104.399

those will impact how to some extent

107.52

they may magnify or minify some minimum

110.399

minimize some of these code review

112.84

costs now the first and the probably the

115.92

most obvious is your time spent

118.88

if you add a code review into your

121.119

process

122.32

that time is going to be added into your

124

process it's there's no ifs ands or buts

126.32

that's like pure physics at that point

128.8

if you

129.759

are going to say

131.36

we're going to do code reviews that

133.04

takes time therefore that time is time

136.16

that your resources could have spent

137.52

doing other stuff

138.8

it may be time that you're tacking on

140.239

before a release

141.68

but bottom line is

143.52

there's going to be a cost of time and

145.52

depending on how you do your your code

147.2

reviews it could be the cost of

150.239

for example like say you've got a 10

151.76

person team

153.519

if all 10 people

155.2

are involved in every code review

157.92

the whole team is spending that time

160.48

161.28

you have it set up so only let's say two

163.519

or three people are involved in a given

165.599

code review then that's going to change

167.28

your cost a little bit

168.959

so it needs you need to be aware of it

170.72

but also realize that there are

173.2

process things you can do that can help

176.4

adjust for those at least to take that

178.4

account to some extent and maybe

180.239

minimize the cost

182.319

or at least at least make it easier to

183.84

swallow

184.959

uh slower quote slower code deployment

189.2

and that is because typically we're

192.08

going to do a code review after

195.2

we've written code so somewhere from the

198

writing code to the deployment step

199.76

we're going to enter we're going to put

201.519

in a code review process

204.48

and that's going to slow

206.4

the deployment because at some point

208.08

we're waiting for code reviews to be

209.84

done and waiting to go through the code

212.4

review process before you deploy

214.959

that one if you just wait until after a

217.76

deployment and do your code review

220.08

you could avoid that particular cost but

223.519

that does mean that you're going to be

224.72

slower to start your next

227.12

deployment cycle so

229.28

you're just sort of shifting time it's

231.04

still going to slow that down

234.879

something that i'd

236.48

it goes back to the personal

238.64

view of your code

240.72

it can

242.799

you can end up in a situation where

244.56

you're basically doing defensive

246.08

programming

247.92

and this is where sometimes this goes

249.84

back to sometimes

252.84

the the value of

255.84

uh this is what you know sort of the

258.079

cathedral versus bizarre and stuff like

260.16

that

261.919

sometimes a single person is going to be

264.479

a little more comfortable with maybe

266.8

we'll say like the 80 20 rule that

268.88

they're they're gonna they can get in

270.72

they can write their code they see the

272.32

problem they see a solution

275.28

you're done

276.88

but when you open that up to review when

278.88

you have a committee or other people

280.96

that are now taking a look at that

283.28

then their varying

285.759

levels of risk acceptance

288.4

may change what is acceptable for that

290.88

code

292.16

and this would be defensive programming

293.68

is that you can get into conversations

295.52

where

296.4

you are

297.759

trying to take into account outliers

300.8

that almost never happen

303.199

and so you end up spending a lot of time

305.919

trying to address a situation that

308.08

almost never happens and that maybe

310.4

is not that big a deal

312.24

sometimes you look at stuff and it is

315.52

in the long run better to allow the

318.16

application to crash once in a blue moon

321.919

when all you have to do is restart it as

324.16

opposed to spending hours and hours

326.72

reviewing the code adjusting it and

330.08

trying to check for a bunch of

331.84

situations that may not occur

334.24

particularly if those checks

337.12

are a cost to that process every time

340

it's run

341.6

and if you think on a big scale think of

343.919

like batch

345.28

data loads or exports

348.639

probably load is more commonly something

350.32

where

351.36

if you're loading millions of records

353.68

and each record you want to go in and do

355.6

a bunch of checks to make sure if all of

357.199

the values are valid and that they're

359.52

unique within the system and things like

361.12

that you may have to

363.12

but in a lot of cases you don't not at

365.12

that point anyways

366.8

so instead of the cost of all of those

368.88

validations being part of the import

371.44

process you can put them somewhere else

374.08

where they do not multiply because of

376.16

just the number of records you're

377.36

dealing with

378.72

you know more simpler uh maybe a more

380.56

simpler example

382.72

that's why when you do triggers in a

384.479

database it's often

386.88

you know and in some similar kinds of

388.479

things it's or actually any real

390.4

transaction

391.759

you want it to be as minimal as possible

395.12

if you're locking stuff up because you

397.28

want to minimize the time that you are

398.88

locking the data that you're working

400.4

with it sort of makes sense

402.56

the cost from a code review with this

404.16

defensive programming is that sometimes

405.759

you may overthink

407.6

a solution and you end up providing you

410.16

know the the maserati when you could

412

have gotten away with ikea it's you know

414.16

not to

415.52

417.84

besmirch any of those products but

421.84

to just say that you know sometimes

425.36

we over architect our solution and code

427.84

review can sometimes lead to that

429.84

so that's something that has to be

431.759

considered as part of your

434.72

your environment and how you approach a

436.4

code review is to try to do it so that

439.12

you don't end up in this sort of

440.24

defensive programming approach to

442.4

solving problems and also that you just

444.319

don't overthink your solutions

448

the code review itself has a cost

450.56

but

451.44

preparing for a review

453.84

looking to review documenting it

456.4

just the mental

458.16

switch to go from writing code to

460.96

reviewing code there's a cost for that

463.759

and so you you want to make sure you

466

factor that in

467.28

uh just like anything else just you want

468.639

to make sure that when you're

470.879

trying to get to the bottom line of is

472.72

this going to cost more than it's worth

475.28

fully thinking through what what are all

477.44

the things that impact the cost what is

479.52

it what is the true cost of this

484.639

so now that

486.319

all of that being said let's talk about

488.16

how do we do this and maybe build a

490.479

habit

492.8

so it all comes down to

495.68

attention to details

497.759

that's really what a code review is is

499.52

it's we're not going to just write code

501.28

and throw it over the wall and see what

502.639

happens

503.599

it's we're going to write code but we're

504.879

going to really we're going to take a

506.8

you know write it take a moment take a

509.36

deep breath take a look at it

511.68

maybe make some adjustments and then

513.12

move forward

515.44

so if you want to build a habit

518.32

the first thing is you've got to start

519.919

somewhere

521.2

so pick a place

523.519

and set a process this may be personal

526.24

it may be something where you're just i

527.36

mean you couldn't even do this with

528.399

yourself it's just a personal code

530.08

review i'm going to write code but i'm

531.6

going to go back and take a look at it

533.12

before i move it forward

535.36

in an organization it's much more

538.08

once code gets to point a whatever

540.72

that's going to be that's going to be

541.76

our code review

543.2

checkpoint

544.64

then

545.68

we're going to say there's this process

547.76

that is code review and we're going to

549.6

put that into place

552.16

if you're a development shop that

553.519

already exists

555.6

then you want to do that really for the

557.68

new changes to code you don't want to

559.68

try to go back and code review you know

561.68

millions and millions of lines of code

563.12

you don't want to try to go back and

564.16

code review all that stuff

566.08

you start by saying okay we didn't do a

568.399

code review in the past so the next

570.48

second best time to start it is now

573.519

and so we're going to pick a point and

574.8

we're say we're going to start this in

576.24

any new code

578.399

we're going to we're going to do a code

579.68

review process and that's that could be

581.6

newly written code or even changes to

583.6

code is that we're going to and

585.68

changes to code can be far reaching so

588.32

we're going to have to talk a little bit

590.56

about scope

592.08

of what

594

is included in that code review

596.72

because it could be that you want change

598.8

five lines of code in a file that has

601.68

10 000 lines of code in it and you don't

604.48

necessarily want to go back and code

606

review all of that uh this that's

608.079

probably an argument to not have a file

609.6

that has 10 000 lines of code in it but

611.6

that's an argument for a different day

613.92

so start by saying all right we're going

616.399

618.64

code review changes when there's code

620.48

changes we're going to do code reviews

622.079

moving forward

624.32

you want to build into that process a

628.24

a flow

629.519

to a code review

631.2

that makes it easy to

634

surface and address

636.24

corrections and updates

638.88

you want to have it be something where

641.04

you can go through a code review there

642.56

is a very well-defined list of

645.6

of changes agreed upon changes

648.399

and then

649.44

it's essentially a

651.12

continuation of that process to

654.56

assign those changes back to the

655.92

developer developer can change them you

658.32

can have a

659.44

sort of a

660.64

a shorter code review process like a

663.04

a verification code review that says yep

665.279

you made these changes i'm i'm good with

667.36

that maybe do a quick look to make sure

669.2

that nothing else changed as part of

671.04

that

672.56

and then that flows forward and now your

674.72

your code is

676.48

reviewed

678.88

it will help immensely to have some sort

681.68

of metric

682.959

or set of metrics that you can use to

684.959

measure your progress uh we're going to

687.12

talk a little bit about some of the

688.56

tools that can provide these things that

690.32

are essentially there they're roughly

692.079

scores on your code so you can take a

694.32

look at it and you can see over time

696.16

hopefully how your scores get better

698.959

this may also be things that are much

701.04

more bottom line driven

703.519

it may be customer acceptance scores it

705.6

may have to do with bug reports it may

708

have to do with system downtime

710.48

all of those things and actually the

712.32

more the better the more metrics you

714.56

have

715.519

the more details you have to look into

717.519

what was life like you know sort of a

719.519

baseline of what was it before we did

721.76

the code reviews and what is it after we

724

do the code reviews

725.839

because even though we've looked at all

727.04

these pros and cons and costs and

729.68

and value

731.76

the bottom line metrics for your

733.44

organization are going to be the best

735.519

measure of how does this work for us

738.399

and

739.279

is it working for us

740.8

because

741.92

if it's not it may be that it's not

744

going to work at all it may be how you

745.36

do it

746.24

but it's like everything else if you

747.6

don't measure it then it's going to be

749.279

really hard to figure out how to change

751.04

it and improve it

753.92

once you get these things into place

756.72

there's a point where

758.959

it would be useful and you may want to

760.88

be able to is maybe use some tools or

763.04

automated tools or something like that

764.32

just because of the time required

766.32

and go back and review your legacy code

768.8

and again some of the tools i'm going to

770.639

point you to are great ways to do this

772.959

is you can go back and look at stuff

774.399

that you wrote last year 10 years ago

777.36

in a different language whatever

779.44

and see how they stack up

782.079

and and you may want to go through and

783.839

improve

785.76

that older code as well try to make some

787.6

changes

788.639

and

790.079

and figure a way to get that to have a

792.639

better uh so you have like a better

794.32

baseline essentially

797.04

and then as you're going through this

798.8

the bottom line at the end you sort of

800.32

get down to it and you say all right

802

we're doing these things we've made some

803.36

changes we're making corrections we're

804.88

measuring this we've even looked at some

806.56

of our legacy code

808.56

you're going to be able to improve so as

810.56

you start building that data up take a

812.16

look at those metrics

814.16

take a look at where you can maybe make

816

improvements

817.36

you may even be able to do sort of a b

819.04

testing make some improvements and see

821.04

if that affects the metrics in the way

823.68

that you want it to

825.6

and it may be that you change your

827.44

process and suddenly the metrics look

829.04

worse

830.639

so maybe it's time to examine that

831.839

process and say what did we change

834.079

that maybe caused this problem

836.399

or if you see within those metrics

838.16

depending on how detailed they are you

839.76

may be able to see where there's there

841.6

are strengths and weaknesses to what you

843.12

do and so

844.88

you maybe look at how can we

846.8

offset some of those weaknesses in our

848.639

process

850.639

and i know these are a little

852.72

vague

854.079

as far as the details of the code review

856.079

itself but

857.36

that really does come down to

860.079

uh beyond bugs are sort of easy

863.44

like everybody it doesn't work it

865.12

doesn't work we've got to fix it

866.8

but when you get down to coding

868.56

standards and maintainability

871.279

uh also requirements in certain certain

873.76

industries you know like if you're in

874.88

healthcare or finance

876.48

there are your code review is different

878.8

there are certain things that are

881.36

that you're going to have to take in

882.88

account that take into account that you

885.12

wouldn't otherwise if i write a little

887.12

app that's a i don't know a to-do list

889.04

app there's a whole lot of stuff i don't

890.8

have to deal with if you write a little

892.56

app that is talking to a doctor and

895.36

exchanging personal health information

897.44

there's a lot of stuff that you have to

899.76

900.56

for that to

901.839

be legal you know to avoid fines and

904

things like that so

905.76

your industry and your

908.32

uh even the way really your leadership

910.32

of your it group can greatly

913.44

impact what a code review really needs

915.68

to be so

916.88

those are things that you have to

918.24

unfortunately

919.839

you can have some guidelines again some

921.92

of the tools we're going to look at and

922.959

provide you some baselines for that

925.519

but your organization itself needs to

927.6

know what it needs

929.519

in order to do it right

933.279

so look at it

949.12

you