The Insecurities of Software Development
July 8th, 2012 by ravi

Warning: this post is not about the merits and demerits of programming languages. It’s a polemic about periodic outbreaks of hating on this or that programming language and what might motivate it.

If you frequent popular tech watering holes like Hacker News, sooner or later you are bound to witness a discussion of the differences between some subset of the terms coder, programmer, software developer and software engineer. There really is none. The discussion nevertheless is unsurprising considering that the urge to construct complex theories and artificial hierarchies has been a reliable constant in human history. Software development (like economics), a craft in search of a science, is particularly vulnerable to insecure navel-gazing. All that energy piled up from sophisticated coursework on compiler design, the lambda calculus and finite automata theory has to be expended somewhere, if not in the making of things. And like economics, that energy finds its outlet in punditry.

On that front, these days, par for the hand-wringing and teeth-gnashing course, perhaps its 18th hole, is ado over programming languages. There has been recently a rash of new programming languages and interest in old ones. Don’t like Java or JavaScript. There’s CoffeeScript. And Clojure. Not arcane enough? How about Haskell, Scala, Erlang. Not low level enough? Try Go. Need more cruft? Possibly Java or Microsoft’s C#. Coolness? Definitely Ruby. And then you have Python which, visually, seems to be the COBOL of modern scripting languages. There’s also Lua, Rhino, Limbo… the list goes on. Makes you yearn for the days when all “scripting” languages were dismissed as beneath serious use. Each language has its adherents and deep theory to encourage wider adoption. The cries abound from each corner: mine’s expressive, but mine’s functional, it’s reflective, I got some fine functions as first-class objects right here, check out my concurrency and lazy evaluation, let’s go prototypal… someone more talented could mix an impressive rap song out of this jargon soup.

And if the world undervalues these riches there is always a bad guy to blame. This time around it is PHP. Here is the deservedly much respected Jeff Atwood quoting another blog about PHP:

Now imagine you meet millions of carpenters using this toolbox who tell you “well hey what’s the problem with these tools? They’re all I’ve ever used and they work fine!” And the carpenters show you the houses they’ve built, where every room is a pentagon and the roof is upside-down. And you knock on the front door and it just collapses inwards and they all yell at you for breaking their door.

That’s what’s wrong with PHP.

If you happen to be a PHP programmer and want some salt to go with that wound, the blog author prefaces his screed thus:

PHP is an embarrassment, a blight upon my craft. It’s so broken, but so lauded by every empowered amateur who’s yet to learn anything else, as to be maddening.

[Did he just say “craft”?]

I have seen this before. The reactionary response from Very Serious People to a real world at divergence with their prescriptions — like that researcher at a prominent lab I used to work at who spent an entire hour at lunch, as late in the game as 1993, explaining why the OSI stack was so undeniably superior to the ill-thought out and amateurish TCP/IP. Linus Torvalds, himself a prime mover today, got a taste of it in the early 90s during that infamous micro vs monolithic kernel war with Tanenbaum, when he was accused of [figuratively] bombing operating systems back to the 70s.

What’s with the beatdown?

Now, the world is full of programmers who wake up in the morning, go to work, write some decent code (that doesn’t collapse inwards), go back home and play with their children or an Xbox or perhaps some open source project. Some of this code is in PHP — turns out in fact a huge chunk of it — and while they may not go around “lauding” the language, these programmers are happy enough with it. How do I know? I work with many of them. I interact with many of them on the WordPress mailing lists. I see their work in the hundreds of open source projects written in PHP. Well, no matter. Turns out they may all be “empowered amateurs” (note the revealingly atypical pejorative usage of the word “empowered”)1.

So again, really, what’s going on here?

For that we return to Jeff Atwood, who writes:

The great crime of PHP is its utter banality. Its continued propularity is living proof that quality is irrelevant; cheap and popular and everywhere always wins.

To summarise Atwood: the people have spoken, the bastards! :–)

The implied consensus of the serious people then is that quality lies in some metrics that only true professionals (not those pesky empowered amateurs) understand, and that despite its many flaws (and the blogger linked to above provides a decent list of them) PHP is popular (when did programming become the prom, anyway?) because it is available everywhere. It remains murky why more endearing languages like Python born around the same time as or earlier than PHP are not similarly ubiquitous, or even why PHP got so popular in the first place. Could it be possibly for other reasons than “cheap and everywhere” that PHP is popular (for one thing, in this context, aren’t popularity and being everywhere synonymous)?

Most programmers, empowered or otherwise, can tell language bits that are just bad. Bad because they are complex, non-intuitive, fragile, inconsistent, so on. Here is how one references an array that is part of a data structure in Perl (there are other somewhat cleaner ways to do this):


That’s just a very simple example. You can make one up that is more complex gobbledygook but this is good enough to make one wince. Then again, look up the Good Parts of JavaScript as advertised by the witty and revered Douglas Crockford. This is how one wrangles encapsulation in an object by hacking closures in JavaScript:

var myObject = (function () {

    var value = 0;
    return {
        increment: function (inc) {
            value += typeof inc === 'number' ? inc : 1;
        getValue: function () {

            return value;

}( ));

This awkward approach of defining and invoking a function to create a private or limited-scoped variable is the sort of thing that should worry programmers in the same manner that the earlier bit of Perl code does (or any of the examples of PHP code in the blog posts linked to, do). But of course this sort of complexity is the very opposite of banal; it is obfuscated and clever… and, left unsaid in polite company, it thus helps separate the professionals from head-scratching amateurs.

While we are on perplexing things, Atwood includes an image (look right) of a real world hammer made to match the metaphor of PHP as a two-clawed hammer.

But waitaminit: a [regular] hammer is a pretty banal tool! No doubt you can hop on to Etsy and order up a finely crafted one, made of rare wood and milled metal, exquisitely fitted and what not. A bespoke hammer for hipster programmers. But a regular hammer, cheap and available everywhere, does equally well. Sure, a two-clawed hammer might make it difficult to pound a nail in, but the obverse, a regular hammer, a Python or Ruby or Java, can hardly be credited with creating the “quality” (Atwood’s word) in a piece of furniture or a work of art.

So if the chosen metaphor only diminishes the importance of a programming language in the quality of the final product, why the excessive concern over languages and the accompanying litany of abstractions that go well beyond pedestrian worries over modularity, naming conventions, so on? If a world of Unix, C and excellent software existed for decades (and continue to push the bits of angst on all these here blogs) before the modern obsession with closures or Design Patterns or MVC or functional programming languages, what purpose do the things obsessed over serve? Especially when the things that stand accused of collapsing upon knocking are, by the blogger’s own admission, standing up decently well (e.g: Mediawiki, WordPress,etc), if with a few props like most things in the real world?

An obvious answer is that obsessive refinement helps advance the field. Few can disagree with the straightforward notion that abstraction and conceptualisation are important contributors to progress, but freeing said concepts from empirical, real-world validation (that sublime proof to be found in the eating of the pudding) feels a lot like putting defensive lipstick on a pig that nobody wants to kiss. And in what world does lipstick look like this:

(def fib-seq
      ( (fn rfib [a b] 
       (lazy-seq (cons a (rfib b (+ a b)))))
    0 1) )

It is, I suspect, in the world of security through obscurity!

1. In this blogger’s defence, to rise to his derision said programmers need to fit these criteria: they have to be someone “who’s yet to learn anything else” and must go around “lauding” PHP. But seriously: does this author leave us with much doubt about what he might have to say about someone exposed to other languages but is happy working with PHP? Surely such a person must be an even greater fool!

4 Responses  
  • Jim Farmelant writes:


    Check out this story in the Boston Globe, “Software company wants all workers to know code: Hoping to narrow technology divide between workers, the firm is requiring every employee to learn JavaScript” (

    I don’t know about you, but I am inclined to think that if it is the goal of the CEO of FreeCause that the non-techies there learn basic programming concepts then JavaScript is probably not the best choice here. When pursued with any degree of depth, JavaScript turns out to be a rather difficult programming language. It’s an object-oriented language, not unlike C++, to which it is closely akin to. It seems to me that if the goal is to teach basic programming concepts there are other languages out there that are more suited to the task, such as VB or Ruby.

    On the other hand, maybe this is intended as a project of team building in which case having the marketing manager embarrass herself in front of fellow employees by writing some badly mangled scripting code, to be followed by one of the salesmen proving that he doesn’t know the difference between software code and Morse code, may be just what the CEO has intended all along.

Leave a Reply

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

If you need help with one of my software projects, please click: Using that link, you might even find a previous report of (and solution for) the issue!
»  Substance: WordPress  »  Style: Ahren Ahimsa