By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of SAST FindingsSpeed of ScanningUsability & Dev Experience
DryRun SecurityVery high – caught multiple critical issues missed by othersYes – context-based analysis, logic flaws & SSRFBroad coverage of standard vulns, logic flaws, and extendableNear real-time PR feedback
Snyk CodeHigh on well-known patterns (SQLi, XSS), but misses other categoriesLimited – AI-based, focuses on recognized vulnerabilitiesGood coverage of standard vulns; may miss SSRF or advanced auth logic issuesFast, often near PR speedDecent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)Very high precision for known queries, low false positivesPartial – strong dataflow for known issues, needs custom queriesGood for SQLi and XSS but logic flaws require advanced CodeQL experience.Moderate to slow (GitHub Action based)Requires CodeQL expertise for custom logic
SemgrepMedium, but there is a good community for adding rulesPrimarily pattern-based with limited dataflowDecent coverage with the right rules, can still miss advanced logic or SSRFFast scansHas custom rules, but dev teams must maintain them
SonarQubeLow – misses serious issues in our testingLimited – mostly pattern-based, code quality orientedBasic coverage for standard vulns, many hotspots require manual reviewModerate, usually in CIDashboard-based approach, can pass “quality gate” despite real vulns
Vulnerability ClassSnyk (partial)GitHub (CodeQL) (partial)SemgrepSonarQubeDryRun Security
SQL Injection
*
Cross-Site Scripting (XSS)
SSRF
Auth Flaw / IDOR
User Enumeration
Hardcoded Token
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of C# VulnerabilitiesScan SpeedDeveloper Experience
DryRun Security
Very high – caught all critical flaws missed by others
Yes – context-based analysis finds logic errors, auth flaws, etc.
Broad coverage of OWASP Top 10 vulns plus business logic issuesNear real-time (PR comment within seconds)Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk CodeHigh on known patterns (SQLi, XSS), but misses logic/flow bugsLimited – focuses on recognizable vulnerability patterns
Good for standard vulns; may miss SSRF or auth logic issues 
Fast (integrates into PR checks)Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)Low - missed everything except SQL InjectionMostly pattern-basedLow – only discovered SQL InjectionSlowest of all but finished in 1 minuteConcise annotation with a suggested fix and optional auto-remedation
SemgrepMedium – finds common issues with community rules, some missesPrimarily pattern-based, limited data flow analysis
Decent coverage with the right rules; misses advanced logic flaws 
Very fast (runs as lightweight CI)Custom rules possible, but require maintenance and security expertise
SonarQube
Low – missed serious issues in our testing
Mostly pattern-based (code quality focus)Basic coverage for known vulns; many issues flagged as “hotspots” require manual review Moderate (runs in CI/CD pipeline)Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities
Vulnerability ClassSnyk CodeGitHub Advanced Security (CodeQL)SemgrepSonarQubeDryRun Security
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Auth Logic/IDOR
User Enumeration
Hardcoded Credentials
VulnerabilityDryRun SecuritySemgrepGitHub CodeQLSonarQubeSnyk Code
1. Remote Code Execution via Unsafe Deserialization
2. Code Injection via eval() Usage
3. SQL Injection in a Raw Database Query
4. Weak Encryption (AES ECB Mode)
5. Broken Access Control / Logic Flaw in Authentication
Total Found5/53/51/51/50/5
DryRun Security News
July 15, 2024

DryRun Security Named Finalist for 2024 BlackHat Startup Spotlight Competition

AUSTIN, TX, July 12, 2024 — DryRun Security, a trailblazer in application security (AppSec), is excited to announce that it has been named one of four finalists for the prestigious 2024 BlackHat Startup Spotlight Competition. This recognition underscores DryRun Security's innovative approach in empowering developers and security teams with automated, behavioral code reviews.

James Wickett, CEO of DryRun Security, will present the company's cutting-edge technology at the competition, which will take place on August 5, 2024, in Las Vegas at BlackHat USA 2024. The competition, now in its third year, highlights startups with fewer than 50 employees that are solving critical security challenges with innovative solutions.

"We are thrilled to be recognized as a finalist among such remarkable companies," said James Wickett, CEO & Co-founder of DryRun Security. "Our approach using context and behavior to perform automated, seamless code reviews is making a significant impact, and we are excited to showcase our technology at BlackHat."

DryRun Security operates as if a team of elite AppSec code reviewers is continuously at work. A dozen analyzers examine your code to gather the needed security context, running within seconds after a developer makes a change. This proprietary process interrogates each code change based on behaviors, not just static patterns, answering critical security questions such as:

  • Is this change modifying the encryption of sensitive data?
  • Does this introduce new authorization to an API endpoint?
  • Is this code obfuscating its purpose?
  • And more!

These behavioral questions are beyond the scope of traditional static application security testing (SAST) or pattern-matching approaches. Currently, DryRun Security conducts more than 10,000 secure code reviews weekly for their customers, ensuring every code change is covered.

After using DryRun Security for a few weeks, the VP of engineering for a health-tech company shared, “This is the kind of stuff that traditionally we've relied on Steve for, but obviously Steve, there's only one of him. We've tried to clone him, but we can't.”

“The security industry has been analyzing software in the same way for about 26 years now. The industry took this outdated security tooling—built for security people—put it in the CI/CD pipeline, and marketed it as developer friendly” said Ken Johnson, CTO & Co-founder of DryRun Security. “That’s why James and I started DryRun Security. We have taken new foundational technology and used it to build not only a truly developer-first tool but an entirely new way of analyzing and detecting risk. If you’re a developer, you get a security buddy to help you. If you’re a security person, you have an awareness & triage agent to help scale your team.”

DryRun Security's innovative approach is grounded in the principles of Contextual Security Analysis (CSA). CSA leverages all pieces of context gathered as developers write code (e.g., code path, functions, author, language) to make contextually aware assertions in near real-time. This method short-circuits long feedback loops and reduces the noise generated by legacy scanners, prioritizing minimal clock time and integrating seamlessly with DevOps and Agile practices.

The BlackHat Startup Spotlight Competition serves as a high-profile platform for innovative startups. DryRun Security will present alongside three other finalists to a panel of renowned industry judges, including Omdia Senior Analyst Ketaki Borade, CISO Advisor and Investor Coleen Coolidge, Deepwatch Chief Information Security Officer Trey Ford, Omdia Principal Analyst Hollie Hennessy, Azeria Labs Founder & CEO Maria Markstedter, Partner at Lytical Ventures Lucas Nelson, Principal at Polymathics and Venture Partner at Nextgen Venture Partners Robert J. Stratton III, and Omdia Senior Principal Analyst Rik Turner.

The competition will kick off at 4:45 PM PST on August 5, and winners will be announced at approximately 5:50 PM PST the same day. For more information regarding BlackHat USA 2024, taking place at Mandalay Bay Convention Center in Las Vegas from August 3-8, please visit https://www.blackhat.com/us-24/.

**About DryRun Security**

DryRun Security is revolutionizing application security by providing automated, behavioral code reviews that ensure seamless and robust security for developers and security teams. By leveraging context and behavior, DryRun Security's proprietary technology interrogates each code change to deliver unparalleled security insights. Try it free at https://dryrun.security.

**Media Contact:**

Tiffany Knudtson
Marketing and Media Coordinator
DryRun Security  
tiffany@dryrunsecurity.com