By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Set Up a Call with James
Install
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of SAST FindingsSpeed of ScanningUsability & Dev Experience
DryRun SecurityVery high – caught multiple critical issues missed by othersYes – context-based analysis, logic flaws & SSRFBroad coverage of standard vulns, logic flaws, and extendableNear real-time PR feedback
Snyk CodeHigh on well-known patterns (SQLi, XSS), but misses other categoriesLimited – AI-based, focuses on recognized vulnerabilitiesGood coverage of standard vulns; may miss SSRF or advanced auth logic issuesFast, often near PR speedDecent GitHub integration, but rules are a black box
GitHub Advanced Security (CodeQL)Very high precision for known queries, low false positivesPartial – strong dataflow for known issues, needs custom queriesGood for SQLi and XSS but logic flaws require advanced CodeQL experience.Moderate to slow (GitHub Action based)Requires CodeQL expertise for custom logic
SemgrepMedium, but there is a good community for adding rulesPrimarily pattern-based with limited dataflowDecent coverage with the right rules, can still miss advanced logic or SSRFFast scansHas custom rules, but dev teams must maintain them
SonarQubeLow – misses serious issues in our testingLimited – mostly pattern-based, code quality orientedBasic coverage for standard vulns, many hotspots require manual reviewModerate, usually in CIDashboard-based approach, can pass “quality gate” despite real vulns
Vulnerability ClassSnyk (partial)GitHub (CodeQL) (partial)SemgrepSonarQubeDryRun Security
SQL Injection
*
Cross-Site Scripting (XSS)
SSRF
Auth Flaw / IDOR
User Enumeration
Hardcoded Token
ToolAccuracy of FindingsDetects Non-Pattern-Based Issues?Coverage of C# VulnerabilitiesScan SpeedDeveloper Experience
DryRun Security
Very high – caught all critical flaws missed by others
Yes – context-based analysis finds logic errors, auth flaws, etc.
Broad coverage of OWASP Top 10 vulns plus business logic issuesNear real-time (PR comment within seconds)Clear single PR comment with detailed insights; no config or custom scripts needed
Snyk CodeHigh on known patterns (SQLi, XSS), but misses logic/flow bugsLimited – focuses on recognizable vulnerability patterns
Good for standard vulns; may miss SSRF or auth logic issues 
Fast (integrates into PR checks)Decent GitHub integration, but rules are a black box (no easy customization)
GitHub Advanced Security (CodeQL)Low - missed everything except SQL InjectionMostly pattern-basedLow – only discovered SQL InjectionSlowest of all but finished in 1 minuteConcise annotation with a suggested fix and optional auto-remedation
SemgrepMedium – finds common issues with community rules, some missesPrimarily pattern-based, limited data flow analysis
Decent coverage with the right rules; misses advanced logic flaws 
Very fast (runs as lightweight CI)Custom rules possible, but require maintenance and security expertise
SonarQube
Low – missed serious issues in our testing
Mostly pattern-based (code quality focus)Basic coverage for known vulns; many issues flagged as “hotspots” require manual review Moderate (runs in CI/CD pipeline)Results in dashboard; risk of false sense of security if quality gate passes despite vulnerabilities
Vulnerability ClassSnyk CodeGitHub Advanced Security (CodeQL)SemgrepSonarQubeDryRun Security
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server-Side Request Forgery (SSRF)
Auth Logic/IDOR
User Enumeration
Hardcoded Credentials
VulnerabilityDryRun SecuritySemgrepGitHub CodeQLSonarQubeSnyk Code
1. Remote Code Execution via Unsafe Deserialization
2. Code Injection via eval() Usage
3. SQL Injection in a Raw Database Query
4. Weak Encryption (AES ECB Mode)
5. Broken Access Control / Logic Flaw in Authentication
Total Found5/53/51/51/50/5
VulnerabilityDryRun SecuritySnykCodeQLSonarQubeSemgrep
Server-Side Request Forgery (SSRF)
(Hotspot)
Cross-Site Scripting (XSS)
SQL Injection (SQLi)
IDOR / Broken Access Control
Broken Authentication Logic
Invalid Token Validation Logic
Broken Email Verification Logic
AI in AppSec
April 25, 2025

Vibe Coding with AI: Speedy Dev, Sneaky Vulnerabilities

Blog
AI in AppSec
Linkedin
Twitter
Facebook

Vibe coding with AI can feel like having a tireless robot buddy writing code for you – but even friendly robots can slip up. Go hands-on to learn more with DryRun at the RSA AppSec Village. 

Ever built a feature by just telling Cursor, Windsurf, or ChatGPT what you want and trusting their code suggestions? If so, congratulations – you’re “vibe coding.” The term (coined by AI luminary Andrej Karpathy) describes letting AI-driven tools handle the actual coding while you fully “embrace the vibes” of prompt-based development. It’s incredibly fun and fast – imagine a pair-programmer that never sleeps. Karpathy joked that for quick projects he would even “Accept All” changes without reading diffs. Many of us have been there, riding the high of rapid development with AI assistance.

AI-Powered Coding: Great Power, Great Responsibility

The productivity boost from AI pair programmers is real. They can help generate boilerplate, suggest fixes, and even catch some bugs. In fact, we at DryRun Security are big fans of AI – our own Co-founder predicted that AI and LLMs will become indispensable in AppSec. But with great power comes great responsibility (yes, we went there). The hard truth is that AI doesn’t inherently prioritize security – it’s tuned to produce working code, not secure code. If you just trust the AI’s output without review, you might be quietly shipping some serious vulnerabilities along with your new features.

Think about it: an AI helper writes a database query for you in one shot. Awesome! But it might not use parameterized queries – boom, now you’ve got a SQL injection hole. Or it scaffolds a quick API endpoint that forgets an authorization check. Suddenly an attacker can skip the login and access data directly (classic auth bypass). We’ve seen AI-generated code that accidentally exposes object IDs without verifying user ownership – a recipe for an IDOR (Insecure Direct Object Reference) issue. These mistakes aren’t just theoretical. Security researchers have noted that AI suggestions often include things like hardcoded secrets or unsafe queries​. As noted in the article above, “AI writes code that works, not code that’s secure”​.

The bigger problem is us – developers may trust AI-generated code too much. Humans tend to take AI output at face value, not scrutinizing it like a coworker’s code. Skip code reviews and testing, and you’re essentially deploying whatever the AI thinks is best. (Spoiler: that’s how you get pwned in production.) Janet Worthington of Forrester cautions that even with AI coding assistants, you still need proper AppSec testing (SAST, dependency checks, etc.) to catch issues the AI missed​. We couldn’t agree more. In our own journey building AI-driven security tools, we learned that rigorous testing and validation is the secret sauce to making AI coding safe​. No free passes just because a machine wrote it!

See “Vibe Coding Gone Wrong” Live @ RSA 2025

Want to see what happens when you fully give in to the vibes without a security net? Come check out DryRun Security’s interactive demo at RSA 2025’s AppSec Village: “Vibe Coding Gone Wrong: Can You Catch the AI’s Mistakes?” We’ve prepared some AI-generated pull requests full of sneaky security bugs. Your mission: play code detective and spot the vulnerabilities (think SQLi, auth flaws, etc.) before they make it into production. It’s a fun, hands-on way to learn just how easily an unchecked AI suggestion can slip a bug past even seasoned devs.

AppSec Village Schedule:

  • April 28: 11:30am–1:30pm

  • April 29: 1:30–3:30pm

  • April 30: 11:30am–1:30pm

We invite developers and security pros alike to swing by during the above times, put your secure code review skills to the test, and chat with us about all things AI and AppSec. AI-assisted development isn’t a hype train to jump off – it’s the future. But it works best when we keep our security glasses on. So grab a coffee at RSA, then come by our booth to see vibe coding’s pitfalls up close and learn how to code with AI securely. Don’t let the AI have all the fun (or introduce all the bugs) – join us and level up your secure coding vibes. See you at the demo!

DryRun Security
News and Updates
,
DryRun Security
No items found.
Linkedin
Twitter
Facebook

Related Blogs

AI in AppSec
January 16, 2025

How AI and LLMs Will Shape AppSec in 2025

DryRun Security Co-founder & CTO Ken Johnson teamed up with Redpoint Security Founder & President Seth Law to give us four predictions for AppSec in 2025. Their forecast includes everything from whether AppSec will embrace LLMs to the rise of agentic security orchestration.

Ken Johnson
Co-founder & CTO
AI in AppSec
November 19, 2024

Next-Level Application Security: Leveraging LLMs in Practice

Building on Ken’s previous insights into using Large Language Models (LLMs) for application security, this post delves into how LLMs can address persistent challenges in the field. Vulnerabilities are only one marker of risk and, unlike traditional security tools, LLMs can analyze a piece of code and ask additional questions if necessary. This article gives you direction on how to use LLMs to take your AppSec program to the next level, illustrating the transformative potential of LLMs to scale your team, identify risks in code changes, empower developers, or highlight significant security-impacting modifications.

Ken Johnson
Co-founder & CTO