the everyday smells beneath the stateful ones

Common Software Defects

The everyday defects in every codebase, read by how they're caught: readability smells a reviewer sees (duplication, magic numbers, bad names), correctness bugs tests catch (DRY violations, off-by-one, sloppy error handling), and security defects a scanner finds (SCA, SAST, DAST). Most don't crash on their own -- they make the stateful bugs harder to see, and the worst of them become vulnerabilities.

Code smells suggest software defects; software defects suggest vulnerabilities. These are the smells everyone makes.

01the defects

The defects in detail

the same logic pasted until the copies disagreeCopy-Pasta MistakesEvery paste is a future bug: one copy gets fixed, the others rot.Read the defect extract on the third repeat, not the firstDRY -- Don't Repeat YourselfTwo copies is a coincidence; three is a pattern that has earned a name.Read the defect literals with no name and no explanationMagic NumbersA number the reader has to decode is a comment you forgot to write.Read the defect the boundary every stateful tool gets wrongOff-by-One ErrorsOff-by-one isn't one language's bug -- it's what every counter, cursor, and pointer drifts into.Read the defect names that have to be decoded before they're understoodNaming ProblemsGood names are the cheapest documentation you'll ever write.Read the defect swallowed failures that surface later as something worsePoor Error HandlingAn error you ignore becomes a crash, a corruption, or a breach.Read the defect unpinned, unscanned, and unreproducible supply chainsDependency Issues (SCA)Code you didn't write still ships in your build -- pin it, lock it, and scan it.Read the defect untrusted input flowing into a dangerous sinkInjection & Taint Flaws (SAST)Static analysis traces a tainted source to a sink; the fix is to break the flow.Read the defect defects you only see when the app is runningRuntime & Integration Flaws (DAST)DAST pokes the live app from outside; these bugs hide in behavior, not source.Read the defect

02the smell

In practice

Unlike the three stateful families, these defects rarely crash on their own — they're the everyday smells that make the stateful bugs harder to see, and the worst of them harden into vulnerabilities. Read them as a 3×3 by how each is caught: a reviewer or linter spots the readability smells (copy-pasta, magic numbers, bad names), tests and types catch the correctness bugs (DRY violations, off-by-one, sloppy error handling), and a scanner finds the security defects (dependency drift via SCA, injectable code via SAST, runtime exposure via DAST). It shows up as anything from a fix you must make in five places to a query a pen-tester turns into a breach — and the tools that make it easy are the most ordinary ones in the editor: copy & paste, a hard-coded literal, an empty catch, an unpinned dependency.

How it shows up

The same change has to be made in several places
Numbers and strings with no explanation
Names that have to be decoded before they're understood
Errors swallowed by empty catch blocks
“Works on my machine” traced to a version drift
A scanner flags an injectable query or an exposed endpoint

Tools that hurt

copy & pastehard-coded literalsabbreviations & single lettersempty catch / except blocksunpinned dependenciesstring-built SQL, shells, and paths

03naming things

Good names have these qualities

Explicitsay what it is, not what it abbreviates

Grokableunderstood at a glance, in context

Consistentthe same idea wears the same word everywhere

Meaningfulcarries intent, not implementation

Pronounceableyou can say it out loud in a standup

Intentionalchosen, not whatever was typed first

Namespacedscoped so two ideas don't collide

Objects & classes are noun phrases. Methods & functions are verb phrases.

04antidotes

Philosophies & antidotes

This family maps to the CWE pillar: CWE-710 — Improper Adherence to Coding Standards