Web Agencies Need Code Review

Web design and development agencies are lacking in code review practices, and our collective clients are suffering as a result.

Our industry's clients come to us, the web agency community, because we're supposed to know how to make them successful. They bring us their vision, and we spend countless hours strategizing around that vision - brainstorming, documenting, proposing, wire-framing, and comping. Yet after we do all this collaborative work and build a strong project foundation we just toss the project to engineers, cross our fingers, and hope for the best.

Why does the Product Requirements Document or Technical Specification deserve so much collaborative review, but the software itself is written in a black box? Isn't it just as important, if not more?

How is it that programmers will write pages upon pages of text (e.g. code, markup, styles) without any peer review, yet all other business documents are reviewed by several stakeholders and, in many cases, lawyers?

The academic community thrives on peer review - nothing gets published without scrutiny. As does the literature community - what author has not revised their work several times with editorial feedback?

The argument for peer review isn't merely rhetorical: Studies from Bell Labs (Lawrence Votta et. al.), Dr. Lesley Pek Wee Land of the University of New South Wales, and dozens of others have repeatedly shown the significant gains of code review. From 1976 to 2012 (Fagan/IBM Systems Journal to Wang/Harbin Institute of Technology), the scientific community finds enormous value in code review with very few exceptions. In my review of the literature, the only exceptions I find are because the type of code review didn't fit the situation, not that code review itself was detrimental.

I love the unique defects that are found during code review - they're relatively inexpensive, and have huge gains for everyone involved. When we make a mistake while writing the Product Requirements Document, we simply hit the backspace button - it's quick and free. However, when we catch a bug after a website is published, we suffer expensive downtime and stressful risk management. Yet when we find a defect during code review, we have an opportunity to mentor the developer, improve coding standards, create software tests, and ignite a culture based on learning and reflection.

This nature of defects is consistent with the academic literature. Across a handful of case studies I reviewed for this post, where each author estimated the company's cost to fix a defect, those defects found during design/comps were the most inexpensive defects to fix. Defects found during code review ranged between $10-$75, upwards of $200 during QA, and between $500 and $10,000 after product release. If saving money by reducing defects is important, code reviews are the way to go.

Metal Toad sponsors daily code reviews and peer mentorship out of our own pocket. My hope is that all web design and development agencies pick up code review, and build this practice into their hourly rate.

Quick summary of helpful code review tools

Pre-commit

Most code review software will deliver you pre and post-commit review features. Crucible, ReviewBoard, Differential, and several others are masters in this arena. Alas, I am not a huge fan of this heavy-handed, workflow-blocking method for small to mid-sized agencies. That said, I admit that I would want these exact solutions for projects with large teams, especially with open source or international team members. As I mentioned above in regards to some detrimental effects found in the academic literature - code review itself is very helpful, but the type of code review used needs to fit the situation.

Post-commit pre-merge

Gerrit is my favorite in this category. After a dozen experiments, my conclusion is that this is a great tool for software projects and, especially, open source git projects. However, it may be a bit too much for small to mid-sized web agencies.

Post-commit post-merge

This is my favorite type of code review, since the focus is less on repository workflow and more on personal development. In this case, any defects that are found are fixed with a new commit, rather than rebasing an existing commit prior to merging. Barkeep is my favorite tool in this category, and it also what we use internally at Metal Toad.

Does your small or mid-sized web agency use code review? What are your thoughts?

Filed under 

Costs of the bug aside, when you head off bugs sooner you may also be catching risky programming behavior. This allows for training opportunities where you not only fix the bug at hand, but prevent similar mistakes from being made in the future. You are improving quality of your people as well as your products.

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <cpp>, <java>, <php>. The supported tag styles are: <foo>, [foo].
  • Web page addresses and email addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.

About the Author

Tony Rost, Vice President of Engineering

Tony believes that customers' technology problems can be solved with deep respect, sound data, strong process, and adventurous teams. He uses data-driven methods to improve all stages of the development lifecycle – from design, to beta, to final deployment. With numerous ties to the open-source community, Tony also works to solve client problems faster and more effectively with well-tested open-source solutions.

Several dozen products have shipped under his guidance over the past 14 years: collaborative internal sites at Nike, social networking integrations with Adidas, server-monitoring websites at Hewlett Packard, open source contributions to Drupal, entertainment sites such as The Emmys, community sites such as FearNET, and HTML5 apps for tablets and Smart TVs.