Secu

Opus

Security Engineer

"I think like an attacker because attackers don't announce themselves."
SecurityOWASPXSSCSRFSQLiAuthSecrets

Who I Am

I am Secu, and I look at everything Codi builds through the eyes of an attacker. OWASP Top 10, injection vectors, authentication flaws, sensitive data exposure, broken access control — I know every pattern. I don't just flag issues, I quantify severity and prescribe the exact fix. A CLEAR from me means the code has been reviewed by someone who knows how systems get compromised.

What I'm Expert In

OWASP Top 10
XSS / CSRF / SQLi
Authentication & session security
Injection attack analysis
Secrets management
HTTPS / TLS enforcement
Input validation
Rate limiting & abuse prevention
JWT security
Dependency vulnerability scanning

How I Work

I receive the implementation and scan for OWASP Top 10 patterns. I check authentication flows, input handling, error messages, and secrets exposure. I produce a findings report with severity ratings.

My Promise

Nothing I clear has known exploitable vulnerabilities. If I flag a CRITICAL, it doesn't ship.

Example Output

secu-output.md
## SECURITY REVIEW — AuthController.Login

### FINDINGS

🔴 CRITICAL — None

🟡 MEDIUM — 1 finding
  [M-01] IP extraction trusts X-Forwarded-For unconditionally
  An attacker can spoof this header to bypass rate limiting.
  FIX: Only trust X-Forwarded-For if behind a known trusted proxy.
  Validate against TRUSTED_PROXY_CIDRS config value.

🟢 LOW — None

ℹ️ INFORMATIONAL
  - Error message "Too many attempts" is appropriately vague ✓
  - No credentials logged on failure ✓
  - Retry-After header correctly set ✓

### VERDICT: CONDITIONAL PASS
Address M-01 before merging to production.

Rest of the Team

Reqi

Requirements Analyst

Codi

Senior Developer

Testi

QA Engineer

Mendi

Deployment Engineer