Sophos: Code Analysis Case Study

Sophos Case study for Static code analysis

Sophos is an international security company founded in Oxford, United Kingdom in 1985. Sophos supplies businesses and individuals with anti-virus software, compliance consulting, and network security solutions. To date Sophos has 3000+ employees, 250,000+ customers, 100+ million users, and 30,000+ channel partners.


Sophos has used Salesforce since 2011, not only for CRM, but for its product delivery and fulfillment process. They have a large and complex implementation which came from a series of external partners. Oversights in this process left Sophos with a significant amount of technical debt. The technical debt resulted in major business problems around releases, platform management, and maintainability.

When Stuart Pearce (now Sophos’ Director of Application Development) took over the team, he encountered several issues not present in Sophos’ .NET and Java development processes. Issues included a lack of insight into code quality, a lack of insight into progress, and an inability to manage processes.

In addition to these issues, Sophos then brought their development ‘in-house’ with an offshore team of developers that scaled their team by 500%. This further complicated their peer review process and created a new set of challenges.


To overcome their challenges, Sophos began to introduce a series of changes to align their Salesforce development with their enterprise development. Their goals were to have control and insight around how they used Salesforce to stabilize their current system and increase their developers’ productivity. They achieved these goals through version control, revised peer review processes, and deployment automation.


Sophos-CodeScan Case Study: Developer in front of screen

A major factor in Sophos’ new peer review process was a static analysis tool to drive up productivity. The sheer volume of code in their codebase and the rate at which it was changing made manual reviews almost impossible for their senior developers. Sophos employed CodeScan to perform this task.

As a first step, the development team ran scans of their whole implementation to gain insight around its health based on bugs, vulnerabilities, code-quality, and complexity. They used the data in the tool to determine where to focus their resources for the biggest return in code quality, to minimize the current risks, and to regain control of their implementation.

As development continued, automated processes were introduced into the workflow. When changes were committed to the feature branches, a CodeScan analysis was triggered to provide feedback to developers at a stage where issues are cheapest to resolve. A failure to pass CodeScan’s Quality Gate would also result in that branch being actively blocked from progressing, forcing developers to view the issues, understand, and rectify them.


CodeScan helped Sophos to scale their team by 500% while maintaining quality by shortening peer review time – time spent on peer reviews was spent solely on reviewing business logic and procedures. Additionally, CodeScan helped to reduce technical debt and lower bugs introduced into production by over 80% by giving insights into code quality as development progressed.

In addition, CodeScan also had a number of positive “side effects”. It helped provide Sophos developers with automated feedback. It helped educate their less experienced developers on writing better code, and freed up the time of their senior developers for higher value design issues, maximizing the codebase’s maintainability, and extensibility.

Develop high quality, secure code!

Setting Up and Using CodeScan Effectively
Setting up and CodeScan in your salesforce org

Running CodeScan on your Salesforce Org is a great first step towards quality code, but maintaining that quality is a Read more

Estimating ROI with CodeScan
Estimate ROI using static code analysis tool CodeScan

Every Software Development Professional knows the following fact: the later bugs are found, the more expensive they are to fix. Read more

SFDX Tutorial | Setting Up CodeScan
CodeScan with Salesforce DX

Salesforce DX is a new focus on source-driven, collaborative development. The Salesforce CLI (Command Line Interface) easily integrates into your Read more

CodeScan and Visual Studio Team Services
continuous integration visual studio

Visual Studio Continuous IntegrationVisual Studio Team Services (VSTS) is a quick and powerful tool to set up continuous integration and Read more