By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Set Up a Call with James
Install
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of SAST FindingsSpeed of ScanningUsability & Dev Experience
DryRun SecurityVery high – caught multiple critical issues missed by othersYes – context-based analysis, logic flaws & SSRFBroad coverage of standard vulns, logic flaws, and extendableNear real-time PR feedback
Snyk CodeHigh on well-known patterns (SQLi, XSS), but misses other categoriesLimited – AI-based, focuses on recognized vulnerabilitiesGood coverage of standard vulns; may miss SSRF or advanced auth logic issuesFast, often near PR speedDecent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)Very high precision for known queries, low false positivesPartial – strong dataflow for known issues, needs custom queriesGood for SQLi and XSS but logic flaws require advanced CodeQL experience.Moderate to slow (GitHub Action based)Requires CodeQL expertise for custom logic
SemgrepMedium, but there is a good community for adding rulesPrimarily pattern-based with limited dataflowDecent coverage with the right rules, can still miss advanced logic or SSRFFast scansHas custom rules, but dev teams must maintain them
SonarQubeLow – misses serious issues in our testingLimited – mostly pattern-based, code quality orientedBasic coverage for standard vulns, many hotspots require manual reviewModerate, usually in CIDashboard-based approach, can pass “quality gate” despite real vulns
Vulnerability ClassSnyk (partial)GitHub (CodeQL) (partial)SemgrepSonarQubeDryRun Security
SQL Injection
*
Cross-Site Scripting (XSS)
SSRF
Auth Flaw / IDOR
User Enumeration
Hardcoded Token
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of C# VulnerabilitiesScan SpeedDeveloper Experience
DryRun Security
Very high – caught all critical flaws missed by others
Yes – context-based analysis finds logic errors, auth flaws, etc.
Broad coverage of OWASP Top 10 vulns plus business logic issuesNear real-time (PR comment within seconds)Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk CodeHigh on known patterns (SQLi, XSS), but misses logic/flow bugsLimited – focuses on recognizable vulnerability patterns
Good for standard vulns; may miss SSRF or auth logic issues 
Fast (integrates into PR checks)Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)Low - missed everything except SQL InjectionMostly pattern-basedLow – only discovered SQL InjectionSlowest of all but finished in 1 minuteConcise annotation with a suggested fix and optional auto-remedation
SemgrepMedium – finds common issues with community rules, some missesPrimarily pattern-based, limited data flow analysis
Decent coverage with the right rules; misses advanced logic flaws 
Very fast (runs as lightweight CI)Custom rules possible, but require maintenance and security expertise
SonarQube
Low – missed serious issues in our testing
Mostly pattern-based (code quality focus)Basic coverage for known vulns; many issues flagged as “hotspots” require manual review Moderate (runs in CI/CD pipeline)Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities
Vulnerability ClassSnyk CodeGitHub Advanced Security (CodeQL)SemgrepSonarQubeDryRun Security
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Auth Logic/IDOR
User Enumeration
Hardcoded Credentials
VulnerabilityDryRun SecuritySemgrepGitHub CodeQLSonarQubeSnyk Code
1. Remote Code Execution via Unsafe Deserialization
2. Code Injection via eval() Usage
3. SQL Injection in a Raw Database Query
4. Weak Encryption (AES ECB Mode)
5. Broken Access Control / Logic Flaw in Authentication
Total Found5/53/51/51/50/5
DryRun Security News
August 15, 2023

DryRun Security Introduces Contextual Security Analysis Guide for AppSec 

Blog
DryRun Security News
Linkedin
Twitter
Facebook

Complimentary Guide Presents Insights and Solutions to Enable Developers to Efficiently Implement CSA 

Austin, TX, August 15th, 2023: DryRun Security, a pioneering company addressing the gap between security and developers, is thrilled to unveil their new Contextual Security Analysis guide, catered to AppSec professionals and developers. The guide, accessible at www.dryrun.security/resources/csa-guide, equips readers to scale application security across their organization. This resource offers valuable insights on security testing that fits with modern development practices at organizations using DevOps or Agile methodologies for software delivery.

Contextual Security Analysis (CSA) represents a novel approach to application security that centers on comprehending an application's functionality, identifying sensitive components, and assessing the potential security implications of code changes. CSA leverages contextual cues gathered during code development, such as code paths, functions, authors, and languages, to facilitate real-time context-aware assertions. This approach is particularly effective for modern applications characterized by distribution, microservices architecture, and substantial reliance on APIs and third-party elements. The guide from DryRun Security is an essential tool to understanding how developers can secure their applications without being security experts. 

“When developers outnumber security 100 to 1, a different approach is needed,” said Ken Johnson, Co-founder & CTO, DryRun Security. “This guide pulls from my experience at GitHub, where every piece of work we performed involved calculating risk. At GitHub, we used a risk metric to guide our efforts in everything from vulnerability triage to security reviews and everywhere in between. We constantly made these risk calculations and risk-based decisions, and we did so utilizing a multitude of variables and contextually relevant data.  We didn’t call it Contextual Security Analysis at the time, but looking back now that really was the origin story for Contextual Security Analysis.”

Brian Walter, CEO of OpenContext, attests to the value of Contextual Security Analysis: "DryRun Security has guided us in uncovering security vulnerabilities within lesser-explored areas of our code. Their mission aligns seamlessly with our organization's ethos, as our developer team holds security in high regard. DryRun Security technology empowers our developers to preemptively address issues during the build phase, ensuring the delivery of a secure end product to our customers." Walter anticipates that the guide will facilitate the implementation and scalability of novel application security testing, and align the security and development groups in larger organizations.

The Contextual Security Analysis guide seamlessly aligns with DryRun Security's overarching objective of bridging the gap between security and developers. This initiative presents developers, who notably outnumber security professionals, with a robust solution and guidance for CSA implementation. As the company remains at the forefront of CSA innovation, this guide expands on the security training and industry presentations Johnson and James Wickett, CEO of DryRun Security, have delivered on the subject. Notably, the DryRun Security beta program has already provided tangible instances of contextual security analysis in action, drawing significant interest for its ability to bridge the development and security divide.

For more details about DryRun Security and to access the free CSA Guide, please visit https://www.dryrun.security/.

***

About DryRun Security: DryRun Security stands as a pioneering software security enterprise, delivering automated security reviews in tandem with code development. Founded by James Wickett and Ken Johnson, the company introduces an inventive approach through Contextual Security Analysis, an exclusive method refined by training over 10,000 developers in security testing and code reviews. This innovative approach empowers developers and security teams to transcend conventional security assessment approaches, proactively addressing potential bugs prior to deployment. To learn more, please visit https://dryrun.security/.

 

DryRun Security
News and Updates
,
DryRun Security
No items found.
Linkedin
Twitter
Facebook

Related Blogs

DryRun Security News
December 13, 2024

DryRun Security Announces SOC2 Type II Certification

We’re excited to announce that we have received our SOC2 Type 2 attestation report! By building robust controls early on in our product, we show our commitment to maintaining consistently reliable systems, where your data is protected and workflows remain uninterrupted. This is an important step in our journey to exceeding expectations and empowering teams to build secure software faster.

DryRun Security
News and Updates
DryRun Security News
July 15, 2024

DryRun Security Named Finalist for 2024 BlackHat Startup Spotlight Competition

"We are thrilled to be recognized as a finalist among such remarkable companies," said James Wickett, CEO & Co-founder of DryRun Security. "Our approach using context and behavior to perform automated, seamless code reviews is making a significant impact, and we are excited to showcase our technology at BlackHat."

DryRun Security
News and Updates