Computer Systems Design and Related Services2022Machine Learning (classification)B2B
Komatsu Australia

Komatsu Australia cuts mean time to fix vulnerabilities 62% in three months with Snyk

Australian equipment distributor Komatsu adopted Snyk Open Source and Snyk Code to replace SonarCloud for SAST scanning, reducing mean time to fix critical vulnerabilities by 62% in the first three months and improving its application security risk posture by 28% over six months.

Mean time to fix reduction62%
AppSec risk posture improvement28%
Scan speed vs. previous solution2 x faster
Duration6 mo.
5 min read

Background

Komatsu Australia wanted to modernize its application security posture as part of a 2022 strategic initiative to shift security left. The team was using SonarCloud for SAST but found it slow and separate from developers' daily workflows. With the goal of reducing vulnerability discovery-to-remediation time and improving visibility across business units and vendors, the company began evaluating developer-first security platforms.

What Was Implemented

  • Deployed Snyk Open Source (SCA) for scanning open source dependencies across development teams integrated with Visual Studio and Azure DevOps CI/CD pipelines
  • Migrated from SonarCloud to Snyk Code (SAST) to consolidate code quality and vulnerability scanning into a single platform visible within the IDE
  • Established developer alerting for new vulnerabilities as they are discovered
  • Planned future integration with Jira for automated security ticket creation

Results

Komatsu reduced its mean time to fix vulnerabilities by 62% in the first three months following implementation. Over six months, it improved its application security risk posture by 28% . Snyk scanning ran twice as fast as the previous solution, improving developer adoption and reducing pipeline wait times. Additionally, 19% of medium or high vulnerabilities fixed by Komatsu were only discoverable through Snyk's database at the time, indicating unique detection coverage. Developers reported positive feedback on the platform's ease of use and integration.

Lessons

  • Consolidating SAST and SCA into a single IDE-integrated tool reduces context-switching and significantly improves developer adoption.
  • Developer-friendly security tools lower cultural resistance by meeting developers in their existing workflow rather than adding separate portals.
  • Measuring mean time to fix — not just number of vulnerabilities found — aligns security KPIs with business outcomes.
  • Early-discovery database coverage (finding vulnerabilities other tools miss) provides an additional argument for platform selection beyond speed and usability.

Ready to implement AI in your commerce operations?

McFadyen Digital helps teams move from case study to live implementation.

Talk to an expert →