This repository contains a Secure Code Review Assessment of an open-source Python Flask Login System that uses a MySQL database.
The assessment was performed using a Static Application Security Testing (SAST) methodology through manual source code review. The objective was to identify security vulnerabilities, evaluate secure coding practices, and provide practical remediation recommendations based on industry best practices.
The identified security findings were also mapped to the OWASP Top 10 (2021) to demonstrate their alignment with widely recognized web application security risks.
The application reviewed during this assessment is available below:
Repository Reviewed:
https://github.com/HarunMbaabu/Login-System-with-Python-Flask-and-MySQL
This repository contains my independent security assessment of the above application. The original source code remains the property of its respective author.
- Perform a manual Secure Code Review.
- Identify security vulnerabilities within the application.
- Evaluate authentication and session management.
- Assess secure coding practices.
- Review SQL query implementation.
- Identify potential security weaknesses.
- Provide practical remediation recommendations.
- Map identified findings to the OWASP Top 10 (2021).
The assessment was conducted using Static Application Security Testing (SAST) through manual source code analysis without executing the application.
The following areas were reviewed:
- Authentication
- User Registration
- Session Management
- Access Control
- Database Queries
- Input Validation
- Password Handling
- Error Handling
- Python
- Flask
- MySQL
- Flask-MySQLdb
- Jinja2
- HTML
- SQL
The assessment identified several secure coding practices already implemented within the application, including:
- Parameterized SQL Queries
- Session-Based Authentication
- Generic Authentication Error Messages
- Basic Input Validation
| Finding | Severity | OWASP Category |
|---|---|---|
| Plaintext Password Storage | 🔴 High | A02:2021 – Cryptographic Failures |
| Missing Password Strength Validation | 🟠 Medium | A07:2021 – Identification and Authentication Failures |
| Flask Debug Mode Enabled | 🟠 Medium | A05:2021 – Security Misconfiguration |
A detailed technical explanation, supporting evidence, security impact, and remediation recommendations for each finding are available in the assessment report.
This project demonstrates practical experience in:
- Secure Code Review
- Static Application Security Testing (SAST)
- Python Source Code Analysis
- Flask Security Review
- Authentication & Session Security
- Secure Coding Best Practices
- SQL Injection Prevention Review
- OWASP Top 10 Mapping
- Vulnerability Assessment
- Technical Security Report Writing
The complete Secure Code Review Report is available below.
📥 Download the Report
Secure Code Review Report – Login System (Flask & MySQL)
Through this assessment, I strengthened my understanding of:
- Reading and analyzing backend Python applications
- Flask routing and request handling
- Authentication and session management
- Secure database interactions
- SQL Injection prevention using parameterized queries
- Password storage best practices
- Static Application Security Testing (SAST)
- Professional security documentation and reporting
This Secure Code Review Assessment was conducted independently for educational and portfolio purposes using a publicly available open-source application.
This repository does not contain or claim ownership of the original application. It contains only my independent security assessment and report. The original application remains the property of its respective author.
Miracle Godwin Ogbo
Junior Penetration Tester