Apparently assertions work (reddit thread). embedded.com notes that “assertions find at least twice the number of bugs identified by static analyzers”.

Why, WHY are we surprised to find this? The very first lesson of CS 101 that handles modularisation opens with the sentence “Check input parameters”. The second paragraph says “check return values”. The very first lesson of programming security is “check all user inputs”. WHY are we surprised that these practices actually work?

Moreover, why are we not using them? These simple techniques provide effective protection against many SQL injection attacks, XSS flaws, buffer overflows and logic bugs; yet we are too lazy (or too obsessed with “the performance impact”) to use them.

Software Engineering will remain a joke rather than a profession until we start taking evidence-based decisions. Parameter checks and peer review have been demonstrated to offer among the best returns compared to their costs, but they are seldom the favoured tools in a developer’s toolkit. Instead we like to proclaim the latest anecdotally-supported technology or approach.