Code has to be simplified until it becomes absolutely correct

Published on 2021-02-16.

If we assume that no security bugs are injected by malicious programmers, then security issues, like other issues, are errors in code introduced by programmers by mistake. This means that the complexity of a program deeply affect the number of mistakes. This also means that one very important goal is to make code as simple as possible, until it becomes absolutely and obviously correct. Complexity is perhaps the most important factor that controls both the creation and defeat of errors, including security related errors.

In the past programmers where forced to create simple and efficient programs because of hardware limitations, and I remember the time when programmers had to squeeze every bit of performance out of the box by constantly improving and simplifying programs.

If there is one thing that is the most destructive and damaging factor with regard to security, then it is complexity.

Once the code becomes simple enough, it is possible to even reach a level of safety where you can guaranty that no security bugs or errors exist in the code.

What I am talking about here is not "clean code", it's code that is focused on solving the problem without the infection of design patterns and added layers of complexity such as object oriented theory or other such things.

One of the most damaging ideas that exists in the software industry is the idea that software efficiency is irrelevant, at that the solution is to always throw more hardware at the problem because hardware is cheap. This idea has made programmers both sloppy and lazy.

With regard to "clean code", which is highly opinionated by the way, then we should only worry about "clean code" in so far that it is related to readability and maintainability and that it is affecting our end product. Other than that, the focus on "clean code" is useless.