Sophos: Code Analysis Case Study
By Benjamin Metzinger & Miguel Coimbra | August 13, 2020
Sophos is an international security company founded in Oxford, United Kingdom in 1985. Sophos supplies businesses and individuals with anti-virus software, compliance consulting, and network security solutions. To date Sophos has 3000+ employees, 250,000+ customers, 100+ million users, and 30,000+ channel partners.
Sophos has used Salesforce since 2011, not only for CRM, but for its product delivery and fulfillment process. They have a large and complex implementation which came from a series of external partners. Oversights in this process left Sophos with a significant amount of technical debt. The technical debt resulted in major business problems around releases, platform management, and maintainability.
When Stuart Pearce (now Sophos’ Director of Application Development) took over the team, he encountered several issues not present in Sophos’ .NET and Java development processes. Issues included a lack of insight into code quality, a lack of insight into progress, and an inability to manage processes. In addition to these issues, Sophos then brought their development ‘in-house’ with an offshore team of developers that scaled their team by 500%. This further complicated their peer review process and created a new set of challenges.
To overcome their challenges, Sophos began to introduce a series of changes to align their Salesforce development with their enterprise development. Their goals were to have control and insight around how they used Salesforce to stabilize their current system and increase their developers' productivity. They achieved these goals through version control, revised peer review processes, and deployment automation.
A NEW SOLUTION
A major factor in Sophos’ new peer review process was a static analysis tool to drive up productivity. The sheer volume of code in their codebase and the rate at which it was changing made manual reviews almost impossible for their senior developers. Sophos employed CodeScan to perform this task.
As a first step, the development team ran scans of their whole implementation to gain insight around its health based on bugs, vulnerabilities, code-quality, and complexity. They used the data in the tool to determine where to focus their resources for the biggest return in code quality, to minimize the current risks, and to regain control of their implementation.
As development continued, automated processes were introduced into the workflow. When changes were committed to the feature branches, a CodeScan analysis was triggered to provide feedback to developers at a stage where issues are cheapest to resolve. A failure to pass CodeScan’s Quality Gate would also result in that branch being actively blocked from progressing, forcing developers to view the issues, understand, and rectify them.
CodeScan helped Sophos to scale their team by 500% while maintaining quality by shortening peer review time - time spent on peer reviews was spent solely on reviewing business logic and procedures. Additionally, CodeScan helped to reduce technical debt and lower bugs introduced into production by over 80% by giving insights into code quality as development progressed.
In addition, CodeScan also had a number of positive “side effects”. It helped provide Sophos developers with automated feedback. It helped educate their less experienced developers on writing better code, and freed up the time of their senior developers for higher value design issues, maximizing the codebase’s maintainability, and extensibility.