By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Set Up a Call with James
Install
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of SAST FindingsSpeed of ScanningUsability & Dev Experience
DryRun SecurityVery high – caught multiple critical issues missed by othersYes – context-based analysis, logic flaws & SSRFBroad coverage of standard vulns, logic flaws, and extendableNear real-time PR feedback
Snyk CodeHigh on well-known patterns (SQLi, XSS), but misses other categoriesLimited – AI-based, focuses on recognized vulnerabilitiesGood coverage of standard vulns; may miss SSRF or advanced auth logic issuesFast, often near PR speedDecent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)Very high precision for known queries, low false positivesPartial – strong dataflow for known issues, needs custom queriesGood for SQLi and XSS but logic flaws require advanced CodeQL experience.Moderate to slow (GitHub Action based)Requires CodeQL expertise for custom logic
SemgrepMedium, but there is a good community for adding rulesPrimarily pattern-based with limited dataflowDecent coverage with the right rules, can still miss advanced logic or SSRFFast scansHas custom rules, but dev teams must maintain them
SonarQubeLow – misses serious issues in our testingLimited – mostly pattern-based, code quality orientedBasic coverage for standard vulns, many hotspots require manual reviewModerate, usually in CIDashboard-based approach, can pass “quality gate” despite real vulns
Vulnerability ClassSnyk (partial)GitHub (CodeQL) (partial)SemgrepSonarQubeDryRun Security
SQL Injection
*
Cross-Site Scripting (XSS)
SSRF
Auth Flaw / IDOR
User Enumeration
Hardcoded Token
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of C# VulnerabilitiesScan SpeedDeveloper Experience
DryRun Security
Very high – caught all critical flaws missed by others
Yes – context-based analysis finds logic errors, auth flaws, etc.
Broad coverage of OWASP Top 10 vulns plus business logic issuesNear real-time (PR comment within seconds)Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk CodeHigh on known patterns (SQLi, XSS), but misses logic/flow bugsLimited – focuses on recognizable vulnerability patterns
Good for standard vulns; may miss SSRF or auth logic issues 
Fast (integrates into PR checks)Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)Low - missed everything except SQL InjectionMostly pattern-basedLow – only discovered SQL InjectionSlowest of all but finished in 1 minuteConcise annotation with a suggested fix and optional auto-remedation
SemgrepMedium – finds common issues with community rules, some missesPrimarily pattern-based, limited data flow analysis
Decent coverage with the right rules; misses advanced logic flaws 
Very fast (runs as lightweight CI)Custom rules possible, but require maintenance and security expertise
SonarQube
Low – missed serious issues in our testing
Mostly pattern-based (code quality focus)Basic coverage for known vulns; many issues flagged as “hotspots” require manual review Moderate (runs in CI/CD pipeline)Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities
Vulnerability ClassSnyk CodeGitHub Advanced Security (CodeQL)SemgrepSonarQubeDryRun Security
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Auth Logic/IDOR
User Enumeration
Hardcoded Credentials
VulnerabilityDryRun SecuritySemgrepGitHub CodeQLSonarQubeSnyk Code
1. Remote Code Execution via Unsafe Deserialization
2. Code Injection via eval() Usage
3. SQL Injection in a Raw Database Query
4. Weak Encryption (AES ECB Mode)
5. Broken Access Control / Logic Flaw in Authentication
Total Found5/53/51/51/50/5
DryRun Security News
May 23, 2023

Technology Veterans James Wickett and Ken Johnson Launch DryRun Security to Bring Security to Developers

Blog
DryRun Security News
Linkedin
Twitter
Facebook

DryRun Security Seeks to Bridge the Gap Between Developers and Security Professionals by Automating  Security Analysis in Code Reviews Before Deployment

AUSTIN, TEXAS, May 23, 2023 – DryRun Security emerged from stealth with the mission to fix the disconnect between security and developers, with the premise that all developers fundamentally care about security. The company, founded by technology veterans James Wickett and Ken Johnson, is creating a new security analysis tool to find potential bugs sooner than any other security solution on the market while being better aligned with how developers actually work. 

Co-founders James Wickett and Ken Johnson created DryRun Security after observing that, in the past 20 years, software security has become misaligned with the way developers build.  The arc of the industry has created silos where legacy security solutions have been geared towards security professionals rather than those who write the software. 

This leads to three significant gaps.  The first is testing for security issues after it’s been deployed leads to wasted developer and security team cycles when problems are discovered. The second is many of the bugs being identified are not even relevant, resulting in false-positives. Finally, the third is application security teams lack an accurate picture of which code reviews require their expertise. This is further exacerbated by the sheer velocity and number of daily and weekly code updates. All of these problems lead to inaccurate, delayed, and often incorrectly prioritized security testing and ultimately, an overall less-secure codebase. 

DryRun Security fixes the disconnect between security and developers by performing Contextual Security Analysis which runs where developers work. As a developer writes code, they dry-run security testing and analysis and get results back in near real-time, which is where the name “DryRun” comes from.  This type of testing builds the security context of the code and provides feedback to developers whenever they make changes or write new code.

“The disconnect between engineers and security testers is due to a lack of security context making it back to developers,” said James Wickett, CEO and Co-Founder of DryRun Security, “DryRun Security was created to address this fundamental disconnect under the assumption that developers truly care about the security of the products they are building. With that assumption, we believe that security should be an integral part of the software development process.  That’s why it’s our mission to provide engineers with a tool that makes it easy to identify and fix potential security bugs while the developer is working on that section of code.”

“At DryRun Security, we understand that once a developer can see the security context of their changes, they can make better decisions and create more secure applications. This is different from  the way that testing has been happening over the past two decades which has made fixing bugs inefficient, driving up costs and creating unnecessary hurdles for developers and security professionals.” Said Ken Johnson, Co-Founder and CTO of DryRun Security. “I experienced these headaches firsthand, which is why I started DryRun Security with James. Our belief is that the solution we provide will give developers the ability to integrate contextual security analysis into their development workflow and fix issues before they become bigger problems.”

DryRun Security is currently running a private beta for their product, and they are accepting signups to the list. Please visit https://dryrun.security to signup and join the early access list.

***

About DryRun Security

DryRun Security is a software security company that provides automated security reviews for developers as they write code. Founded by James Wickett and Ken Johnson, the company takes a unique approach using Contextual Security Analysis, which is a proprietary approach they’ve developed by training over 10,000 developers on security testing and code reviews. Using this approach, developers and security teams are able to bridge the gaps of mainstream security testing approaches and fix potential bugs before deployment. For more information, please visit https://dryrun.security.

DryRun Security
News and Updates
,
DryRun Security
No items found.
Linkedin
Twitter
Facebook

Related Blogs

DryRun Security News
December 13, 2024

DryRun Security Announces SOC2 Type II Certification

We’re excited to announce that we have received our SOC2 Type 2 attestation report! By building robust controls early on in our product, we show our commitment to maintaining consistently reliable systems, where your data is protected and workflows remain uninterrupted. This is an important step in our journey to exceeding expectations and empowering teams to build secure software faster.

DryRun Security
News and Updates
DryRun Security News
July 15, 2024

DryRun Security Named Finalist for 2024 BlackHat Startup Spotlight Competition

"We are thrilled to be recognized as a finalist among such remarkable companies," said James Wickett, CEO & Co-founder of DryRun Security. "Our approach using context and behavior to perform automated, seamless code reviews is making a significant impact, and we are excited to showcase our technology at BlackHat."

DryRun Security
News and Updates