problems with hooks

text/50_writing_testable_code.md

@@ -120,7 +120,11 @@ Some interfaces are "automatically" scriptable.  If you are writing a web app, f
 
 Programs which do not provide a method of scripting by virtue of their interface, such as native GUI applications, will ideally have some sort of scripting built into them.  This can be done via __test hooks__, or "hidden" methods which provide a way to input data or receive information about the program.  These are externally accessible, perhaps with a key or other security measure, but usually not publicly advertised.
 
-There are several downsides to adding hooks to your program, or any sort of scriptable interface.  It's a security risk, for one thing---if someone discovers how to access the test hooks, they may be able to determine hidden information, overwrite data, or perform other malicious actions (or simply be curious and make a mistake).  Adding a scriptable interface will require additional complexity in the program, as well as additional program length and size.  The interface may be a drag on performance.  Finally, time spent working on the interface means less time spent writing other features of the software, or improving its quality.
+There are several downsides to adding hooks to your program, or any sort of scriptable interface.  It's a security risk, for one thing---if someone discovers how to access the test hooks, they may be able to determine hidden information, overwrite data, or perform other malicious actions (or simply be curious and make a mistake).  Adding a scriptable interface will require additional complexity in the program, as well as additional program length and size.  The interface may be a drag on performance.
+
+Worse, scripts may give you a false sense of security.  Adding a separate way to access user-facing functionality means that you will need to have (at least) two parallel ways to use the system.  In some cases, functionality that works perfectly fine via the scriptable interface will not work when accessing it the "normal" way.
+
+Time spent working on a scripting interface also means less time spent writing other features of the software, or improving its quality.  This trade-off may be worthwhile, but it should be considered on a project-by-project basis.
 
 You can test graphical and other non-text interfaces without test hooks, but it will tend to be much more difficult.  Writing code to directly interface with something is often the easiest and most direct route.  There are programs out there which allow you to directly manipulate the cursor, take screenshots of the result, and perform other interface interaction which is not scripted.  However, these tools are often finicky and require manual verification of screenshots.