What shouldn't most programmers write themselves?

  • (2 Pages)
  • +
  • 1
  • 2

19 Replies - 9599 Views - Last Post: 16 April 2014 - 04:25 PM

#1 Curtis Rutland  Icon User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4577
  • View blog
  • Posts: 8,019
  • Joined: 08-June 10

What shouldn't most programmers write themselves?

Post icon  Posted 17 March 2014 - 02:58 PM

This thread made me think of the question: "what kinds of libraries/tasks should the average programmer avoid writing for themselves?"

Cryptography is the prime example: unless you're a crypto/math wiz, rolling your own crypto algorithm is almost always a bad choice. Because there are people who's entire job is to find ways to break into systems; if there's any weakness at all in your code, they can find it and exploit it. It's better to use well-documented and well-tested algorithms, and it's usually better to use pre-made implementations of this as well, unless you know a specific vulnerability in a library that you're trying to work around.

Logging is, in my opinion, another area where programmers should tread lightly. I've made so many custom loggers in my career, and I regret almost every one of them. They've always caused problems I otherwise wouldn't have had, if only I had just grabbed ELMAH/log4net/enterprise library/whatever and used that. Little problems you never consider, like "what if the disk is temporarily unavailable", or "what if the sysadmins push a permissions change that causes your application's user to no longer have write permissions to the logging directory"? In cases like that, it's usually better for the application to keep on chugging without logging than it is to crash on a logging call, and if you haven't considered that, you're screwed. That's just one example of things that people who've focused on these projects will have already encountered and dealt with.

I'd like to clarify something at this point: I have nothing against people writing these things to learn. Just like how you have to re-implement a linked list in the Data Structures class that most CS courses have, re-inventing the wheel gives you insight into how the wheel works. But I urge you not to use the fruit of your efforts in a production system! Especially crypto.

So, what does everyone else think? Are there areas that you would urge the average programmer to avoid, and find a pre-baked solution, or do you think I'm completely off base here? Do you have anything to add to the list?

This is in the C# Advanced section, because that's the language of the question that spawned this discussion, but I'd love to hear from developers of all stripes.

Is This A Good Question/Topic? 4
  • +

Replies To: What shouldn't most programmers write themselves?

#2 AdamSpeight2008  Icon User is offline

  • MrCupOfT
  • member icon


Reputation: 2271
  • View blog
  • Posts: 9,500
  • Joined: 29-May 08

Re: What shouldn't most programmers write themselves?

Posted 17 March 2014 - 03:13 PM

*
POPULAR

Here's a few.
  • Anything related to Dates and Time.
  • Money / Currency
  • Security (Logins)
  • Programming Languages (Syntax Highlight regex won't cut it.)
  • Basic data structures
  • Basic algorithms. Sorting
  • Parsing.
    • CSV Just use TextFieldParser
    • XML
    • HTML

This post has been edited by AdamSpeight2008: 17 March 2014 - 03:15 PM

Was This Post Helpful? 6
  • +
  • -

#3 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3667
  • View blog
  • Posts: 11,501
  • Joined: 05-May 12

Re: What shouldn't most programmers write themselves?

Posted 17 March 2014 - 05:03 PM

Data compression
Was This Post Helpful? 2
  • +
  • -

#4 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 8038
  • View blog
  • Posts: 13,757
  • Joined: 19-March 11

Re: What shouldn't most programmers write themselves?

Posted 17 March 2014 - 07:57 PM

Anything for which a library exists.

An exception can be made if you can demonstrate that the library is borken in some way that matters to your program.

Another exception can be made for the curious: if you want to know how crypto works, for example, the only way to figure it out for real is to write the primitives for yourself. But of course you write that for your own amusement, and not for deployment.
Was This Post Helpful? 3
  • +
  • -

#5 Momerath  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1012
  • View blog
  • Posts: 2,444
  • Joined: 04-October 09

Re: What shouldn't most programmers write themselves?

Posted 17 March 2014 - 08:17 PM

I'm going to take the other stance here and say that you should write everything yourself when you are learning. How else will you learn the things that need to be checked (for example, disk availability) unless you've done something and had it fail (you learn from failure, success rarely teaches you anything :)).

If I wanted to become a crypto-geek, I'd write code to do all the various encryption methods and post them so people can point out what I'm doing wrong.

If you never do anything that someone else has already done then we'll eventually reach the state where no one can do anything.


Don't take this the wrong way, I use libraries all the time. I just don't think there is a hard rule of "Use other people stuff".
Was This Post Helpful? 4
  • +
  • -

#6 Curtis Rutland  Icon User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4577
  • View blog
  • Posts: 8,019
  • Joined: 08-June 10

Re: What shouldn't most programmers write themselves?

Posted 18 March 2014 - 07:23 AM

Good answers all around. I agree with most of what's been said here, even the stuff that seems mutually exclusive :P

I'm of the opinion that you should self-implement anything you're curious about, just as Momerath mentioned. But don't use what you've written for anything important unless you know it's good. And if it's crypto, I'd still be concerned. All it takes is one small weakness (like a weak PRNG) to vastly reduce the complexity of breaking the algorithm. Most people would say "who's going to target me?" Well, in this day and age, you'd be surprised. Automated attacks make this kind of thing stupid easy, no need to give them another weakness to exploit.
Was This Post Helpful? 0
  • +
  • -

#7 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9587
  • View blog
  • Posts: 36,326
  • Joined: 12-June 08

Re: What shouldn't most programmers write themselves?

Posted 18 March 2014 - 07:33 AM

I'll add "most basic GUI controls".
Was This Post Helpful? 1
  • +
  • -

#8 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 8038
  • View blog
  • Posts: 13,757
  • Joined: 19-March 11

Re: What shouldn't most programmers write themselves?

Posted 18 March 2014 - 07:37 AM

Yes, I agree that curiosity - the desire to learn, that is - is an excellent reason to reinvent any wheel. If you want to understand it, you have to build it. I guess to me that falls under the heading of "for my own amusement". :)
Was This Post Helpful? 2
  • +
  • -

#9 Curtis Rutland  Icon User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4577
  • View blog
  • Posts: 8,019
  • Joined: 08-June 10

Re: What shouldn't most programmers write themselves?

Posted 18 March 2014 - 07:51 AM

Exactly. Implement to learn, but use a well-tested and proven library/algo for your "real" projects.
Was This Post Helpful? 3
  • +
  • -

#10 rnblckmn  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 2
  • Joined: 03-August 10

Re: What shouldn't most programmers write themselves?

Posted 18 March 2014 - 01:24 PM

The problem I am seeing with using libraries any more is that they can no longer be trusted particularly in the cryptography area. With the weaknesses that have come to light in the RSS and BEST encryption standards and libraries you open yourself up to exposure in your applications by using the current libraries it is best to learn to do it on your own so you don't end up using methods that have been compromised by individuals and or governments. Though I admit I hate the idea of having to reinvent the wheel on most of this, the research alone can be pretty daunting not to mention rebuilding a whole bunch of libraries that someone else put their time and effort into getting right. as a professional programmer insecure code reflects badly on me and my programming group which ever one I am involved with at the time. So I do the research and learned to do it myself.
Was This Post Helpful? 0
  • +
  • -

#11 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 8038
  • View blog
  • Posts: 13,757
  • Joined: 19-March 11

Re: What shouldn't most programmers write themselves?

Posted 18 March 2014 - 01:29 PM

Bad plan, unless you have the resources to get hordes of cryptographers to try to break your encryption. If not, rely on the stuff that's been tested by people who know what they're doing.
Was This Post Helpful? 0
  • +
  • -

#12 Curtis Rutland  Icon User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4577
  • View blog
  • Posts: 8,019
  • Joined: 08-June 10

Re: What shouldn't most programmers write themselves?

Posted 18 March 2014 - 01:32 PM

When people say things like "leave crypto to the experts", they usually mean "leave the algorithm development to professionals". If you understand the mechanics and mathematics of a particular well-documented algorithm, the danger of self-implementation is somewhat reduced.

The problem is that you could introduce vulnerabilities that don't exist in the original algorithm. For example, if an algorithm calls for a random number, and you use a weak PRNG, you're adding an attack vector that wouldn't otherwise be there. This is just a small example of any number of ways you could accidentally reduce the entropy of a cryptosystem. And it's quite unlikely that you'll be able to test your product to the extremes it needs to be tested to. If you're not a crypto-focused penetration tester, it's unlikely your tests will cover all surfaces.

So, you weigh the choice: should I use a vendor product that might have a backdoor, or should I roll my own that may have undocumented and unexplored weaknesses? Neither are a great choice. A third option usually exists: popular open source libraries have usually been reviewed and tested by "the masses", so vulnerabilities will usually come to light, and backdoors are far less likely since the source is available to all.
Was This Post Helpful? 0
  • +
  • -

#13 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 8038
  • View blog
  • Posts: 13,757
  • Joined: 19-March 11

Re: What shouldn't most programmers write themselves?

Posted 18 March 2014 - 01:39 PM

Quote

When people say things like "leave crypto to the experts", they usually mean "leave the algorithm development to professionals". If you understand the mechanics and mathematics of a particular well-documented algorithm, the danger of self-implementation is somewhat reduced.



Maybe somewhat reduced, but not by that much - there's not just the problem of weak components, there's also some really interesting implementation dangers. For example, if you write in a high level language or with a good compiler, your code may get optimized. This is usually what you want - but in crypto applications, it can introduce regularities that you don't want. There's also a lot of details that you have to get right - for example, do you know how to avoid timing attacks? I know I don't want to spend my time trying to make sure I get that part right. Basically, the people most interested in doing QA on your code are the people who aren't going to file bug reports. Are you going to do better QA than they are? Probably not.

Open source libraries are the way to go - you never want to use a crypto library if you can't read the source.
Was This Post Helpful? 0
  • +
  • -

#14 Curtis Rutland  Icon User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4577
  • View blog
  • Posts: 8,019
  • Joined: 08-June 10

Re: What shouldn't most programmers write themselves?

Posted 18 March 2014 - 01:45 PM

That's basically what I was going for in the second paragraph, but you explained it better than me. Implementing an algorithm isn't as dangerous as creating a new one, but doing either is a bad choice.
Was This Post Helpful? 0
  • +
  • -

#15 ishkabible  Icon User is offline

  • spelling expret
  • member icon




Reputation: 1623
  • View blog
  • Posts: 5,714
  • Joined: 03-August 09

Re: What shouldn't most programmers write themselves?

Posted 19 March 2014 - 06:39 PM

I'd like to iterate "basic algorithms and data structures" from adam's post. While I don't think that you shouldn't do this for the reasons you shouldn't do Crypto it is a very good rule. Smart people spend LOTS of time writing really high quality data structures and algorithms in standard libraries for you; USE THEM. I can almost promise you don't have the time to beat their implementation even if you have the skill.

I'll go ahead an parrot other things from adams post:
Anything security critical since even if it is simple you don't want to be the guy that fucks up
Anything with a complex standard like HTML, or XML, or some complex protocol, or file type etc...
Date and time stuff is surprisingly tricky. Jon Skeet who some might know from stack overflow has a great talk about why shouldn't do that on your own.

I'd also add performance critical code like numerical computing, etc..

The last thing I'll had is concurrency. Don't use it directly because it is a mess of a problem to deal with.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2