By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of SAST FindingsSpeed of ScanningUsability & Dev Experience
DryRun SecurityVery high – caught multiple critical issues missed by othersYes – context-based analysis, logic flaws & SSRFBroad coverage of standard vulns, logic flaws, and extendableNear real-time PR feedback
Snyk CodeHigh on well-known patterns (SQLi, XSS), but misses other categoriesLimited – AI-based, focuses on recognized vulnerabilitiesGood coverage of standard vulns; may miss SSRF or advanced auth logic issuesFast, often near PR speedDecent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)Very high precision for known queries, low false positivesPartial – strong dataflow for known issues, needs custom queriesGood for SQLi and XSS but logic flaws require advanced CodeQL experience.Moderate to slow (GitHub Action based)Requires CodeQL expertise for custom logic
SemgrepMedium, but there is a good community for adding rulesPrimarily pattern-based with limited dataflowDecent coverage with the right rules, can still miss advanced logic or SSRFFast scansHas custom rules, but dev teams must maintain them
SonarQubeLow – misses serious issues in our testingLimited – mostly pattern-based, code quality orientedBasic coverage for standard vulns, many hotspots require manual reviewModerate, usually in CIDashboard-based approach, can pass “quality gate” despite real vulns
Vulnerability ClassSnyk (partial)GitHub (CodeQL) (partial)SemgrepSonarQubeDryRun Security
SQL Injection
*
Cross-Site Scripting (XSS)
SSRF
Auth Flaw / IDOR
User Enumeration
Hardcoded Token
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of C# VulnerabilitiesScan SpeedDeveloper Experience
DryRun Security
Very high – caught all critical flaws missed by others
Yes – context-based analysis finds logic errors, auth flaws, etc.
Broad coverage of OWASP Top 10 vulns plus business logic issuesNear real-time (PR comment within seconds)Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk CodeHigh on known patterns (SQLi, XSS), but misses logic/flow bugsLimited – focuses on recognizable vulnerability patterns
Good for standard vulns; may miss SSRF or auth logic issues 
Fast (integrates into PR checks)Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)Low - missed everything except SQL InjectionMostly pattern-basedLow – only discovered SQL InjectionSlowest of all but finished in 1 minuteConcise annotation with a suggested fix and optional auto-remedation
SemgrepMedium – finds common issues with community rules, some missesPrimarily pattern-based, limited data flow analysis
Decent coverage with the right rules; misses advanced logic flaws 
Very fast (runs as lightweight CI)Custom rules possible, but require maintenance and security expertise
SonarQube
Low – missed serious issues in our testing
Mostly pattern-based (code quality focus)Basic coverage for known vulns; many issues flagged as “hotspots” require manual review Moderate (runs in CI/CD pipeline)Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities
Vulnerability ClassSnyk CodeGitHub Advanced Security (CodeQL)SemgrepSonarQubeDryRun Security
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Auth Logic/IDOR
User Enumeration
Hardcoded Credentials
VulnerabilityDryRun SecuritySemgrepGitHub CodeQLSonarQubeSnyk Code
1. Remote Code Execution via Unsafe Deserialization
2. Code Injection via eval() Usage
3. SQL Injection in a Raw Database Query
4. Weak Encryption (AES ECB Mode)
5. Broken Access Control / Logic Flaw in Authentication
Total Found5/53/51/51/50/5
Features
January 24, 2024

Finding Risky Code Changes Inside Auth Functions

One way to determine if a particular code change is more risky than others is to evaluate which functions are modified when new code is presented for review. (n.b. We’re using the term “function” to represent routines, subprograms, subroutines, procedures, and methods.) We all have those particular functions in our code that, when they show up in a code review, we lean in and look closer. If you’re a multi-tenant SaaS, resource and data authorization (authz) functions usually cause the “lean in” to occur. Every engineer at a SaaS company knows that job one is to keep customer data separated.  

Another example of a code review that causes reviewers to “lean in” is anything around authentication (authn). Whether adding a new provider or changing an existing authn method. Just as we don’t want to cross-contaminate customer data, we also want to avoid scenarios where all the users are locked out, force password changes en masse, or introduce a vulnerability.  (There are dozens of other negative scenarios that can unfold when authn or authz goes wrong, but fear mongering isn’t our style.)

But, here’s the problem. Every day, our code changes immensely. Every day, we are asked to ship more and more features and bug fixes. Every day, there are more pull requests and code changes than any single application security expert could review.

While authn changes may not occur as frequently as say, authz—we need to know about both and use this as a data point when forming a risk assessment of the changes being introduced to our code base. Put another way, authn/z modifications are a very good indicator that the changes being introduced require careful consideration.

Meet your AI-Powered Sensitive Functions Analyzer

At DryRun Security, we’ve launched a new analyzer in our product that assists in the code review process by finding changes to sensitive functions, with a heavy emphasis on authn/z. Given that these functions are commonly used and are the first line of defense in securing applications, and for all the reasons above, we chose to start there.

It’s not only AI-powered, it’s also powered by our core approach to everything we do: Contextual Security Analysis (CSA). CSA is a paradigm shift in how we view application security. It evaluates each change using the SLIDE (Surface, Language, Intent, Detections, and Environment) framework to calculate the risk of any given code change.

Sensitive Functions in Action

Let’s say that in our local development environment we make a change to config/passport.js in order to perform some testing. Now, that change shouldn’t reach production and certainly should not makes its way into the pull request. However, as we all know, things like this occur all the time.


passport.use(new OpenIDStrategy({    
apiKey: process.env.STEAM_KEY,    
// TODO change before we go to prod, using test providerURL   
//providerURL: 'http://steamcommunity.com/openid',    
providerURL: 'http://test.com/openid',    
returnURL: ${process.env.BASE_URL}/auth/steam/callback,    
realm: ${process.env.BASE_URL}/,    
stateless: true 

The AI-powered Sensitive Function analyzer detects the change and flags it as a potentially sensitive modification because it touches authn/z. It will also tell you why that particular change caused it to alert.

This function is related to authorization and authentication because it is configuring OpenID strategy for Steam authentication.

If you are curious about why this change in particular was flagged, you can ask your Security Buddy right inside of the pull request. You can talk to to it by just using @dryrunsecurity in your comment. As an example:


@DryRunSecurity Why is changing providerURL in my passport OpenIDStrategy 
configuration risky from a security perspective? 

You’ll get an answer that explains the different risks associated with the change and it can provide developers with more context.

(If you’re in the DryRun Security Beta, you’re already seeing this in your code reviews …if you’re not, we’d like to join the beta; consider this your personal invite!)

Leveraging the Power of Contextual Security Analysis

CSA is a mechanism for us to ascertain whether or not a code change (pull request) exceeds your risk threshold using the totality of various data points available to us—including our own sensitive function analyzer.  

The idea behind CSA is that security teams, champions, and senior engineering staff have limited time to review code changes. By accurately surfacing just a few of the riskiest changes in a day or week these teams and individuals can better prioritize their efforts. Everyone loathes false positives because they eat up valuable time. Time that none of us are able to waste. CSA is designed to fix this problem entirely.

By using CSA and our various analyzers such as sensitive functions you can quickly identify authn/z risks as code is introduced for review. You’re not only protecting your customers and your business, you are building trust within your team, your company and your customers. And, just as importantly, you’re meeting your compliance obligations.

We encourage you to explore the benefits of CSA further by downloading our free Contextual Security Analysis Guide. Discover how to build CSA into your own security practice and make your application security proactive, precise, and developer-friendly.

Get Instant Access to CSA Functionality Right Now

We’d love to show you how DryRun Security can help you find risky auth function changes right away with our AI-powered Sensitive Function Check.

Discover how it can enhance your security posture and streamline your development process. To see it in action, request a demo or join the beta free right now.

Join us in revolutionizing application security, one code change at a time.