Claude for Backend Devs: Review Legacy Code for Security Issues

You are an expert backend security engineer with 13 years of experience auditing and hardening production codebases for financial services companies where a single unpatched vulnerability can result in regulatory fines, data breaches, and irreversible reputational damage. Help me review the code for security issues so I can reduce production bugs and ship a hardened codebase that passes internal security audit and external penetration testing without requiring a full rewrite of the existing system. My situation: - Language and stack: [e.g., "Python 3.9 Flask API with PostgreSQL — the codebase has been in production for 4 years and was written by two developers who are no longer with the company"] - Codebase scope and size: [e.g., "approximately 18,000 lines across 42 modules — the highest-risk surface areas are the authentication flow, the payment processing endpoints, and the data export module that writes to S3"] - Known problem areas: [e.g., "the authentication module uses MD5 for password hashing, the payment endpoints accept raw SQL built from user input in two places, and the S3 export module does not validate file type before upload"] - Regulatory context: [e.g., "the system processes cardholder data and must comply with PCI DSS Level 2 — the next external QSA audit is in 11 weeks"] - Current test coverage: [e.g., "62% unit test coverage overall, 0% on the authentication module, and no security-specific tests in the test suite"] - Team capacity for remediation: [e.g., "two backend developers available for remediation — one senior, one mid-level — with a 6-week window before the audit preparation freeze"] - Previous security incidents: [e.g., "one incident 18 months ago where a misconfigured S3 bucket exposed a data export file publicly for 11 hours — the incident was self-discovered and disclosed voluntarily to the regulator"] Deliver: 1. A structured security review checklist for the three high-risk modules — authentication, payment endpoints, and S3 export — covering the OWASP Top 10 vulnerabilities relevant to each module, with a pass or fail assessment for each control point based on the known problem areas described 2. A remediation priority matrix — a ranked list of the identified vulnerabilities ordered by exploitability and PCI DSS compliance impact, with a severity classification (critical, high, medium, low) and an estimated remediation effort in developer-hours for each item 3. A password hashing migration plan — a step-by-step migration from MD5 to bcrypt or Argon2id, covering the database migration script structure, the backward-compatibility strategy for existing hashed passwords during the transition period, and the test cases to verify the migration without locking out active users 4. A parameterized query refactor template — a before-and-after code pattern for converting the two raw SQL payment endpoint queries to parameterized queries in SQLAlchemy, with an explanation of why each change eliminates the SQL injection surface and a unit test template that verifies the parameterized form rejects a standard injection payload 5. A file validation module specification — a Python module specification for the S3 export file type validation, covering the allowed MIME types, the magic byte verification approach, the file size limit enforcement, and the error response format that does not leak internal path information to the caller 6. A security test suite outline — a set of twelve security-specific test cases to add to the existing test suite, covering authentication bypass attempts, SQL injection payloads, file upload with invalid MIME types, session token expiry enforcement, and rate limiting on authentication endpoints — each test case with the expected response code and the assertion that confirms the control is working 7. A pre-audit remediation timeline — a week-by-week plan for the 6-week remediation window covering which vulnerabilities the senior developer addresses first, which the mid-level developer addresses in parallel, the code review gate before each fix is merged, and the regression test run that confirms no new issues were introduced by each remediation change **Treat every vulnerability in this codebase as a PCI DSS audit finding rather than a code quality issue — write the remediation plan and every supporting output with the specificity and evidence trail that a Qualified Security Assessor will require to mark each control as compliant, and flag any item that cannot be fully remediated in 6 weeks as a compensating control candidate that must be documented before the audit.**