Komatsu Australia cuts mean time to fix vulnerabilities 62% in three months with Snyk
Australian equipment distributor Komatsu adopted Snyk Open Source and Snyk Code to replace SonarCloud for SAST scanning, reducing mean time to fix critical vulnerabilities by 62% in the first three months and improving its application security risk posture by 28% over six months.
Background
Komatsu Australia wanted to modernize its application security posture as part of a 2022 strategic initiative to shift security left. The team was using SonarCloud for SAST but found it slow and separate from developers' daily workflows. With the goal of reducing vulnerability discovery-to-remediation time and improving visibility across business units and vendors, the company began evaluating developer-first security platforms.
What Was Implemented
- Deployed Snyk Open Source (SCA) for scanning open source dependencies across development teams integrated with Visual Studio and Azure DevOps CI/CD pipelines
- Migrated from SonarCloud to Snyk Code (SAST) to consolidate code quality and vulnerability scanning into a single platform visible within the IDE
- Established developer alerting for new vulnerabilities as they are discovered
- Planned future integration with Jira for automated security ticket creation
Results
Komatsu reduced its mean time to fix vulnerabilities by 62% in the first three months following implementation. Over six months, it improved its application security risk posture by 28% . Snyk scanning ran twice as fast as the previous solution, improving developer adoption and reducing pipeline wait times. Additionally, 19% of medium or high vulnerabilities fixed by Komatsu were only discoverable through Snyk's database at the time, indicating unique detection coverage. Developers reported positive feedback on the platform's ease of use and integration.
Lessons
- Consolidating SAST and SCA into a single IDE-integrated tool reduces context-switching and significantly improves developer adoption.
- Developer-friendly security tools lower cultural resistance by meeting developers in their existing workflow rather than adding separate portals.
- Measuring mean time to fix — not just number of vulnerabilities found — aligns security KPIs with business outcomes.
- Early-discovery database coverage (finding vulnerabilities other tools miss) provides an additional argument for platform selection beyond speed and usability.