Posted
I commonly see problems “solved” by adding human review.
- Every non-public API endpoint must have the appropriate auth check.
- Before promotion the promoter will review the list of commits and ensure that all new features are “ready for release”.
- Every string interpolation must be properly encoded.
This is attractive because it is easy to publish a list of standards and expect human review to enforce them. The problem is that it doesn’t work. I call this fallacy Perfect Constant Vigilance.
The truth is that humans are awful at repetitive tasks, especially when they are tedious. Therefore human review is insufficient to reliably catch errors. This is the primary reason why we still have car accidents even though we have safe traffic rules and people learn them in driving school. Driving is a tedious task and humans will lose focus once they have done it enough. (This is also the reason I think that level 1-3 self-driving is incredibly irresponsible, it makes driving even more tedious and routine.)
There are different ways to relieve dependence on Perfect Constant Vigilance. Some ideas, listed from most preferable to least preferable.
- Remove the problem entirely. (Ex: Stop working with user-controlled data)
- Make the problem impossible to occur by accident. (Ex: Make it impossible to call endpoints that don’t have an auth wrapper, public endpoints need to be explicitly marked as public)
- Automate the review (Ex: Ban use of
innerHTML)
- Make the review less tedious. (Ex: Reduce review size)
Unfortunately the solution is usually domain specific, but recognizing the pattern is the important first step. “That solution relies on Perfect Constant Vigilance and is bound to fail eventually. Let’s explore other options.”