Sophos: Code Analysis Case Study


Sophos is an international security company founded in Oxford, United Kingdom in 1985. Sophos supplies businesses and individuals with anti-virus software, compliance consulting, and network security solutions. To date Sophos has 3000+ employees, 250,000+ customers, 100+ million users, and 30,000+ channel partners.


Sophos has used Salesforce since 2011, not only for CRM, but for its product delivery and fulfillment process. They have a large and complex implementation which came from a series of external partners. Oversights in this process left Sophos with a significant amount of technical debt. The technical debt resulted in major business problems around releases, platform management, and maintainability.

When Stuart Pearce (now Sophos’ Director of Application Development) took over the team, he encountered several issues not present in Sophos’ .NET and Java development processes. Issues included a lack of insight into code quality, a lack of insight into progress, and an inability to manage processes. In addition to these issues, Sophos then brought their development ‘in-house’ with an offshore team of developers that scaled their team by 500%. This further complicated their peer review process and created a new set of challenges.


To overcome their challenges, Sophos began to introduce a series of changes to align their Salesforce development with their enterprise development. Their goals were to have control and insight around how they used Salesforce to stabilize their current system and increase their developers’ productivity. They achieved these goals through version control, revised peer review processes, and deployment automation.


Sophos-CodeScan Case Study: Developer in front of screen

A major factor in Sophos’ new peer review process was a static analysis tool to drive up productivity. The sheer volume of code in their codebase and the rate at which it was changing made manual reviews almost impossible for their senior developers. Sophos employed CodeScan to perform this task.

As a first step, the development team ran scans of their whole implementation to gain insight around its health based on bugs, vulnerabilities, code-quality, and complexity. They used the data in the tool to determine where to focus their resources for the biggest return in code quality, to minimize the current risks, and to regain control of their implementation.

As development continued, automated processes were introduced into the workflow. When changes were committed to the feature branches, a CodeScan analysis was triggered to provide feedback to developers at a stage where issues are cheapest to resolve. A failure to pass CodeScan’s Quality Gate would also result in that branch being actively blocked from progressing, forcing developers to view the issues, understand, and rectify them.


CodeScan helped Sophos to scale their team by 500% while maintaining quality by shortening peer review time – time spent on peer reviews was spent solely on reviewing business logic and procedures. Additionally, CodeScan helped to reduce technical debt and lower bugs introduced into production by over 80% by giving insights into code quality as development progressed.

In addition, CodeScan also had a number of positive “side effects”. It helped provide Sophos developers with automated feedback. It helped educate their less experienced developers on writing better code, and freed up the time of their senior developers for higher value design issues, maximizing the codebase’s maintainability, and extensibility.

Develop high quality, secure code!

CodeScan’s Acquistion by AutoRABIT: A Complete DevSecOps Solution
CodeScan’s Acquistion by AutoRABIT: A Complete DevSecOps Solution

CodeScan has offered an essential service to further companies' DevOps processes for years—real-time code analysis creates stronger products, faster time to Read more

Manage Your Releases with Blue Canvas and CodeScan
Manage Your Releases with Blue Canvas and CodeScan

CodeScan’s static code analysis solution benefits teams using Salesforce as their CRM system. We value the partner ecosystem within Salesforce Read more

Get Your Salesforce on the Right Path With the TrueNorth Alliance
Get Your Salesforce on the Right Path With the TrueNorth Alliance

At CodeScan, we believe in the strength of partnerships when it comes to providing quality products and services. With technology Read more

What You Need to Know About OWASP’s Top 10 Vulnerabilities List
What You Need to Know About OWASP’s Top 10 Vulnerabilities List

What Is OWASP? OWASP stands for the Open Web Application Security Project, a non-profit, online community with the mission to Read more

Zendesk help