6. March 2014 08:35
I have been involved with a really complex web application for past year or so. The application itself is quite straight forward but it is the complexity of UI, business logic and interactions with various third party interfaces that makes it quite complex system.
In recent weeks the development team has been plagued with all sorts of issues trying to get the application to work and behave as expected in Production Environment.
The issues started becoming visible when we moved the application into production environment and the various infrastructure bits started to fail.
As developers we are hard wired to trust our development environment, anything that we develop we have full control over it. And not even for a minute we consider that the application and its dependencies are ever going to fail.
In our case we came across a raft of failures in the production environment where a B2B interface goes offline and it is critical interface that eventually stops the business process.
Also there are scenarios where we receive response values that we never accounted for and application doesn't knows how to deal with them. These silly issues caused our application to break down and stop the process. The business process was anyways not going to be completed but it was the amount of time that it took us to investigate the issue. And another contributing factor in causing use even more headache was our lack of access of production environment.
Upon a close investigation of the issue in hand what I discovered that issue could have been quite easily picked if during development process we had validated data that we receive from various interfaces and from user screens. It goes back to the basics of development which often modern developers tend to forget as they are too busy doing more advanced things with new toolset or technologies.
The basic ground rules for any software development process is never ever trust your input data. You should always validate and verify the data that comes into the application - if it is data from a service, data from form inputs.
Here are some of the best practices around validation of data:
- Never remove server-side validations, it is cool to validate on client side but server should still validate all data when it is posted back into the application
- Always specify Field lengths explicitly, never allow user to enter in as many values as they can.
- Provide helpful validation feedback to user, it should always clearly state the errors and if possible provide ways to fix them
- Don't let users think what is required and what is not, clearly mark fields that are required
- Validate all data that gets exchanged between B2B services. Also ensure that data aligns with the field lengths specified in the database. If there's any differences try to adjust the field lengths.
- In case there's a failure or error within the application, handle it gracefully and do not show any sensitive data as part or exception message.