<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JIS</journal-id><journal-title-group><journal-title>Journal of Information Security</journal-title></journal-title-group><issn pub-type="epub">2153-1234</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jis.2023.144019</article-id><article-id pub-id-type="publisher-id">JIS-128108</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  Systematic Review: Analysis of Coding Vulnerabilities across Languages
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Shreyas</surname><given-names>Sakharkar</given-names></name><xref ref-type="aff" rid="aff1"><sub>1</sub></xref></contrib></contrib-group><aff id="aff1"><label>1</label><addr-line>Stevenson Ranch, USA</addr-line></aff><pub-date pub-type="epub"><day>08</day><month>08</month><year>2023</year></pub-date><volume>14</volume><issue>04</issue><fpage>330</fpage><lpage>342</lpage><history><date date-type="received"><day>15,</day>	<month>August</month>	<year>2023</year></date><date date-type="rev-recd"><day>25,</day>	<month>September</month>	<year>2023</year>	</date><date date-type="accepted"><day>28,</day>	<month>September</month>	<year>2023</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  The boom of coding languages in the 1950s revolutionized how our digital w
  orld was construed and accessed. The languages invented then, including Fort
  ran, are still in use today due to their versatility and ability to underpin a large majority of the older portions of our digital world and applications. Fortran, or Form
  ula Translation, was a programming language implemented by IBM that shortened the apparatus of coding and the efficacy of the language syntax. Fortran marked the beginning of a new era of efficient programming by reducing t
  he number of statements needed to operate a machine several
  -
  fold. Since then, 
  dozens more languages have come into regular practice and have been increasingly diversified over the years. Some modern languages include Python, Java, JavaScript, C, C++, and PHP. These languages significantly improved efficiency and also have a broad range of uses. Python is mainly used for website/software development, data analysis, task automation, image processing, and graphic design applications. On the other hand, Java is primarily used as a client-side programming language. Expanding the coding languages allowed for increasing accessibility but also opened up applications to pertinent security issues. These security issues have varied by prevalence and language. Previous research has narrowed its focus on individual languages, failing to evaluate the security. This research paper investigates the severity and frequency of coding vulnerabilities comparatively across different languages and contextualizes their uses in a systematic literature review.
 
</p></abstract><kwd-group><kwd>CWE (Common Weakness Enumeration)</kwd><kwd> Data Security</kwd><kwd> Coding Vulnerabilities</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>Coding languages have been used for website building and application development in the modern era. Security issues within these applications can cause significant problems worldwide, mainly due to organizational utilization, from Alphabet to Amazon Web Services (AWS). Since the coding languages have been used to build such websites differ, the security problems that arise are inherently different in type of risk and prevalence. Data compromises in the United States increased from 157 in 2005 to 1,802 compromises in 2022 as programming gained popularity [<xref ref-type="bibr" rid="scirp.128108-ref1">1</xref>] .</p><p>A famous coding vulnerability example comes from the $100,000 Keying Error. Grete Fossbakk was trying to transfer $100,000 to her daughter via an online banking system. She entered her daughter’s bank account number and added one extra digit in the middle. The value was, therefore, truncated incorrectly, and the money was sent to the wrong person. According to Kai A. Olsen, a check-sum mechanism, checking the number of digits in the bank account, was in place to catch such errors, but it was only effective 92% of the time [<xref ref-type="bibr" rid="scirp.128108-ref2">2</xref>] . This resulted in this money transfer error in cases like Fossbackk’s and others.</p><p>While money transfer and security issues are concerning, the stakes are often even higher, considering machinery dealing with reactive materials with control systems managed by coding language algorithms. One example was Therac-25, a control system controlled radiation therapy machine used in patient cancer treatments. Six significant accidents in the system due to computer language failures from a past version of the system and improperly presented error codes resulted in a large overdose of radiation being delivered to the patients. Moreover, overflow errors would allow the software to bypass safety checks occasionally since the error was numeric, not a fixed flag value [<xref ref-type="bibr" rid="scirp.128108-ref3">3</xref>] . Medical malpractice cases uncovered the algorithmic errors underpinned by the language’s security risks. The use of alternative languages would have circumvented this security risk. The crucial nature of language security shoring can be further exemplified in a multitude of other industries, an example of which is the space industry. Rocket Ariane 5 also malfunctioned due to software errors and had catastrophic consequences, exploding in the atmosphere seconds after launch. Once again, reusing old code that needed to be assessed for malfunctions and security risks proved problematic. Peter Ladkin said the failure was “caused by an ‘Operand Error’ in converting data in a subroutine from 64-bit floating point to 16-bit signed integer. One value was too large to be converted, creating the Operand Error” [<xref ref-type="bibr" rid="scirp.128108-ref4">4</xref>] . Ladkin goes on to blame the failure of using the coding language Ada for the mission. Ada does not accommodate the need for explicitly hard-coding basic low-level data conversion into a higher-level language. Using Ada was utterly unnecessary, but as a result of using it, the entire mission was a failure.</p><p>Different coding languages have different inherent susceptibilities to coding security risks in the form of cyberattacks. These attacks can generally be classified into four main categories: cross-site scripting issues, SQL injection, command injection, and cryptographic issues. One type of attack is XSS or cross-site scripting. In this injection attack, attackers try to incorporate malicious code into a credible website to attack a user. SQL injections are similarly injected malicious code to view backend data that is not meant to be accessible. Command injections exploit operating system (OS) vulnerabilities by executing arbitrary commands to exploit input validation issues. Cryptographic issues are the most diverse of these. Cryptographic attacks can be subclassified into three main aims: identity verification, confidentiality, and integrity. Each of these encompasses data security for certain users. Within each language, there is a different vulnerability that skews in the direction of one of these four cyberattack categories. 86% of applications utilizing general-purpose scripting languages, such as PHP, contain at least one cross-site scripting (XSS) vulnerability and are vulnerable to command injections [<xref ref-type="bibr" rid="scirp.128108-ref5">5</xref>] . However, there are differential security risks assigned to the specific languages. Languages like C and C++ are known to have more robust security against XSS, while languages such as Classic ASP and ColdFusion are known to have a greater prevalence of XSS issues. Lastly, cryptographic problems are more varied and challenging to protect against. Overall, cryptographic issues have become the most prevalent subtype of cyberattacks.</p><p>Different languages, thus, offer varying levels of security against attacks. However, delving into the specifics of each language’s vulnerabilities that underpin these cyberattack data and validating this cyberattack distribution data by using a bottom-up approach is essential. This research paper will try to identify the following research questions: (1) What coding vulnerabilities/security risks come with using different languages? (2) Which coding languages are most vulnerable when faced with the most common cyberattacks?</p></sec><sec id="s2"><title>2. Methodology</title><p>To answer the research aims, this paper will follow the methodology below. A systematic literature review of recent studies was conducted in order to provide a clear and comprehensive review of previous literature’s data and interpretations. One database, Google Scholar, was utilized. Keywords that were used included “security risks”, “coding vulnerabilities”, “cyberattacks”, “Python”, “JavaScript” “Java”, “C”, “C++”, “PHP” and “risks inherent in coding languages&quot;. Each paper was analyzed for security risks and vulnerabilities associated with each programming language. Furthermore, the uses and applications of each programming language were identified. By comparing the statistics of the severity and frequency of coding vulnerabilities in different languages, the risk of using each language can be assessed. A PRISMA 2020 model was followed. Systematic literature reviews, case studies, and meta-analyses were all included. As shown in <xref ref-type="fig" rid="fig1">Figure 1</xref>, thirty-seven studies were found to fit within the inclusion criteria. Of these, two were duplicative and removed. Thirty-five studies remained to conduct our literature review with.</p></sec><sec id="s3"><title>3. Results</title><sec id="s3_1"><title>3.1. Python</title><p>In recent years, Python has experienced an explosion in popularity. According to the TIOBE Index, as of August 2022, Python overtook C to become the most popular programming language with a rating of 15.42% and is likely to keep growing. [<xref ref-type="bibr" rid="scirp.128108-ref6">6</xref>] Its popularity is mainly attributed to its simple and easy-to-read syntax.</p><p>Since Python is easy to code and also user-friendly, it is much easier on an individual quality analyst level to catch mistakes and errors in programs that could cause security issues. According to mend.io, only 6% of all reported open-source vulnerabilities are from websites written in Python. Furthermore, on average, only 15% of Python’s severity vulnerabilities in the past five years are considered high risk, which is relatively low compared to other major coding languages [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] .</p><p>However, Python also has some security vulnerabilities that are worth considering. There are four principal security vulnerabilities according to Python’s CWE (Common Weakness Enumeration) list. In order from most frequent to least, Input Validation (CWE-20), Permissions, Privileges, and Access Control (CWE-264), Cross-Site Scripting (XSS) (CWE-79), and Information Leak/Disclosure (CWE-200) affect Python language-based scripts [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] .</p><p>In further analysis, Python security risks are primarily a result of insufficient user input validation [<xref ref-type="bibr" rid="scirp.128108-ref8">8</xref>] . Input validation is how a program can ensure the data being entered by a user is not malicious, incorrectly formatted, or wrong in other ways. A program can avoid leaking important information by sanitizing the user’s input.</p><p>Additionally, Python is a type-safe language. This means it checks for type errors when the program compiles, known as compile time. On the other hand, languages that are not type-safe check for type errors at runtime. This is advantageous because it leads Python to be less error prone. Languages that are not type-safe, such as C and C++, are susceptible to error due to not having type safety.</p></sec><sec id="s3_2"><title>3.2. JavaScript</title><p>JavaScript is a popular language, and according to the TIOBE Index, JavaScript ranks seventh on the list of the most popular programming languages in the world, with a rating of 2.33% as of August 2022 [<xref ref-type="bibr" rid="scirp.128108-ref6">6</xref>] . However, Stack Overflow, a popular programming website, posted a developer survey in 2021 that claimed JavaScript was the most popular language. 64.96% of respondents and 68.62% of professionals chose JavaScript as their most heavily favored and used development language [<xref ref-type="bibr" rid="scirp.128108-ref9">9</xref>] . JavaScript underpins nearly 95+% of websites accessible today, emphasizing the widespread nature and havoc cyberattacks could wreak by exploiting a singular vulnerability [<xref ref-type="bibr" rid="scirp.128108-ref10">10</xref>] .</p><p>Despite being so popular, JavaScript has more vulnerabilities than Python. According to mend.io, 11% of all reported open-source vulnerabilities are from websites incorporating JavaScript. Mend.io also states that, on average, 31% of vulnerabilities identified in websites incorporating JavaScript contained high-risk vulnerabilities over the last five years, more than double that of Python.</p><p>According to mend.io, JavaScript is vulnerable to three main CWEs: Cryptographic Issues, Path Traversal, and Cross-Site Scripting (XSS), the first two relatively uncommon among other top programming languages. Additionally, Michael Hollander claims that SQL injection and sensitive cookie exposure are among the top vulnerabilities of JavaScript [<xref ref-type="bibr" rid="scirp.128108-ref10">10</xref>] .</p></sec><sec id="s3_3"><title>3.3. Java</title><p>Java is extremely popular as well. According to the TIOBE Index, which is a measure of relative programming language popularity, Java is ranked third in popularity at 12.40% [<xref ref-type="bibr" rid="scirp.128108-ref6">6</xref>] . Also, Java is a type-safe language, which is beneficial in minimizing type errors. Furthermore, Java technology is utilized by six million developers across billions of devices [<xref ref-type="bibr" rid="scirp.128108-ref11">11</xref>] . As a result, any significant vulnerability found in Java could potentially result in billions of devices being at risk of being hacked. Therefore, it is crucial to examine whether Java is secure.</p><p>According to mend.io, Java comprises 11% of all open-source security vulnerabilities, placing it in the top 3 in this category. However, the number of websites coded with Java containing high-severity security vulnerabilities averages roughly 19% but has been declining since 2015. Additionally, Java shares Python’s top four CWEs: Information Leak/Disclosure, Input Validation, Cross-Site Scripting, and Permissions, Privileges, &amp; Access Control [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] . Java and Python have several similarities, which provide a reason why their top security vulnerabilities are the same.</p><p>However, being listed among the top CWEs does not indicate a critical vulnerability. Static application security testing (SAST) helps identify code vulnerabilities. The most common code vulnerability identified through this process was the Unpatched Libraries vulnerability [<xref ref-type="bibr" rid="scirp.128108-ref12">12</xref>] . Furthermore, S. Rahaman et al. concluded that on a cumulative evaluation of Android applications, these applications draw their vulnerabilities largely from packaged libraries of code [<xref ref-type="bibr" rid="scirp.128108-ref13">13</xref>] . Unpatched libraries occur when versions of coding languages are updated to patch vulnerabilities found in libraries. Lists of these vulnerabilities can be found in databases such as the National Vulnerability Database or the CVE database. Coding languages can be vulnerable to attackers who know these vulnerabilities when not updated.</p></sec><sec id="s3_4"><title>3.4. C</title><p>C is a relatively old language still in use. According to the TIOBE Index, C ranks second in popularity to Python and ranked first before August 2022. However, according to a survey by Stack Overflow, only 21.01% of respondents have done extensive development work with C [<xref ref-type="bibr" rid="scirp.128108-ref6">6</xref>] .</p><p>Despite its broad applicability, there are three significant components to this need for more familiarity with C. 1) C is not very user-friendly and is challenging to master due to syntax requirements and hard-coding practices. 2) C contains security flaws and infrastructure weaknesses that are easy to exploit [<xref ref-type="bibr" rid="scirp.128108-ref14">14</xref>] . 3) C is not type-safe, making C increasingly liable to type errors. Mend.io states that C has the most vulnerability out of the above languages, encompassing 50% of all reported vulnerabilities in a decade. However, this last type-safety argument may be unreliable, as it is worth mentioning that the length of time that C has been around and the mass of code that relies on C may skew this data improperly [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] .</p><p>C’s top CWE is the Improper Restriction of Operations within the Bounds of a Memory Buffer, scoring 75.56 out of 100. Out-of-bounds Read is the second-most common CWE with a score of 26.5, far less common than the prior [<xref ref-type="bibr" rid="scirp.128108-ref15">15</xref>] .</p></sec><sec id="s3_5"><title>3.5. C++</title><p>C++ ranks fourth on the TIOBE Index, with a rating of 10.17% [<xref ref-type="bibr" rid="scirp.128108-ref6">6</xref>] . However, according to the Stack Overflow Developer Survey, 24.31% of respondents have done extensive development using C++, which ranks 10th on this survey. This points to the improvement in user accessibility and ease of use.</p><p>Similar to the above, in terms of security, C++ is not type-safe, so it is vulnerable to type errors. Notably, C++ has two significant unique security risks. First, C++ has the highest % of high-severity security vulnerabilities in this group at 36% [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] . Secondly, C++’s top CWE is Buffer Errors, which accounts for over 50% of all CWEs. According to mend.io, these Buffer errors, referred to by CWE code 19, have been incredibly prevalent within C. As explained by the lead-time fallacy of C, it is now becoming apparent that they are not unique to C. C++ has seen a sharp spike in these errors since 2017 [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] . Furthermore, as shown in <xref ref-type="fig" rid="fig2">Figure 2</xref>, C and C++ are uniquely responsible for a significant portion of CWE vulnerabilities [<xref ref-type="bibr" rid="scirp.128108-ref16">16</xref>] .</p></sec><sec id="s3_6"><title>3.6. PHP</title><p>According to the TIOBE Index, PHP is ranked tenth with a popularity rating of 1.39% [<xref ref-type="bibr" rid="scirp.128108-ref6">6</xref>] . 21.98% of respondents to the Stack Overflow 2021 Survey state that they have done extensive development with PHP [<xref ref-type="bibr" rid="scirp.128108-ref9">9</xref>] . PHP is especially popular in website development, with continuous growth and applicability [<xref ref-type="bibr" rid="scirp.128108-ref17">17</xref>] . This is primarily due to web developers’ use of PHP in creating dynamic content and utilizing strong database support systems. Overall, this can provide a user-friendly experience [<xref ref-type="bibr" rid="scirp.128108-ref18">18</xref>] .</p><p>Of security, according to mend.io, 16% of websites coded with PHP in the last five years were found to contain high-severity vulnerabilities. PHP has one clear top CWE: Cross-Site Scripting, or XSS. While we have explored the prevalence of XSS CWEs in depth, PHP is the only language with prominent SQL Injection (CWE-89) vulnerabilities [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] .</p></sec></sec><sec id="s4"><title>4. Discussion</title><p>In order to correctly interpret this research, it is also important to realize that each of the languages discussed earlier has different purposes. Despite their vulnerabilities, languages may still be used solely to execute a specific task that no other language can do better.</p><sec id="s4_1"><title>4.1. Applications of Python</title><p>Python has a relatively low number of vulnerabilities, which is a positive feature as it is one of the most used programming languages. Most of its applications involve image processing and graphic design applications [<xref ref-type="bibr" rid="scirp.128108-ref19">19</xref>] . Furthermore, Python can be used in website/software development, data analysis, and task automation. Since Python is very user-friendly, easy to learn, and has a simple syntax, many accountants and scientists can also utilize it for their job requirements [<xref ref-type="bibr" rid="scirp.128108-ref20">20</xref>] . It is often heralded as a beginner-friendly language for new web developers and computer science students.</p></sec><sec id="s4_2"><title>4.2. Applications of JavaScript</title><p>JavaScript is a client-side programming language mainly used in web development, specifically to make websites dynamic and interactive [<xref ref-type="bibr" rid="scirp.128108-ref21">21</xref>] . 98.0% of all websites use JavaScript as a client-side programming language [<xref ref-type="bibr" rid="scirp.128108-ref22">22</xref>] . JavaScript vulnerabilities can be high-stakes as one of the more popular languages underpinning some of the heaviest trafficked web pages without significant failures or security risks. Examples include Google, YouTube, Facebook, Wikipedia, and Amazon. As a result, any vulnerability found in JavaScript can be used cross-applied across several websites that are not only important but can be financially catastrophic.</p></sec><sec id="s4_3"><title>4.3. Applications of Java</title><p>Java can be used to construct applications on several platforms, particularly for the recent video gaming boom [<xref ref-type="bibr" rid="scirp.128108-ref23">23</xref>] . However, Java is not limited to mobile and computer applications. One of the more novel security risks that have emerged from using Java comes from the National Aeronautics and Space Administration (NASA). One of NASA’s recent endeavors has been WorldWind, a publicly accessible application allowing high-resolution camera monitoring from satellite feed onto nearly any location on Earth [<xref ref-type="bibr" rid="scirp.128108-ref24">24</xref>] . As a result, a security vulnerability in Java could result in apps being targeted by attackers and potentially crashing.</p></sec><sec id="s4_4"><title>4.4. Applications of C</title><p>As established, the relatively higher number of C-specific vulnerabilities and their prevalence compared to other languages means that any application based on C has an increased security risk. The applications of C are just as foundational to our computers, underpinning most operating systems (OS). Many C-based standard OS include but are not limited to Windows, Linux (nearly entirely in written C), Google Chrome OS, RIM Blackberry OS 4.x, Symbian OS, Apple Mac OS X, iPad OS, Apple, and Cisco IOS [<xref ref-type="bibr" rid="scirp.128108-ref25">25</xref>] . Security recommendations point toward minimizing the usage of C, especially in website development, where security risks are incrementally increased. Despite its shortcomings, C is still a prevalent programming language.</p></sec><sec id="s4_5"><title>4.5. Applications of C++</title><p>C++ is an all-purpose programming language used for many projects, such as applications, games, browser development, and operating systems [<xref ref-type="bibr" rid="scirp.128108-ref26">26</xref>] . Since C++ is used over such a large spectrum of software programs, it is vital to ensure coding vulnerabilities in C++ do not cause significant security issues. Otherwise, the same basic vulnerabilities can be exploited across a plethora of programs using C++.</p></sec><sec id="s4_6"><title>4.6. Applications of PHP</title><p>PHP is a scripting language mainly used for web development, but it can also be used to make projects such as GUIs or Graphical User Interfaces [<xref ref-type="bibr" rid="scirp.128108-ref27">27</xref>] . Many popular web interfaces use PHP, including Facebook, Wikipedia, and Etsy, among many others [<xref ref-type="bibr" rid="scirp.128108-ref28">28</xref>] .</p></sec><sec id="s4_7"><title>4.7. Origin of Security Vulnerabilities</title><p>Many security vulnerabilities originate from an early stage when beginners are taught how to program but not how to code securely. Taylor et al. demonstrated that significant work on SQL injection vulnerabilities shows a surprising lack of concern or discourse around preventative security measures [<xref ref-type="bibr" rid="scirp.128108-ref29">29</xref>] . This lack of education around preventive measures yields a measure of minimizing security concerns and a boom in analysts that create accessible products; websites, applications, and other programs inevitably contain vulnerabilities. Hackers can often easily exploit these vulnerabilities, resulting in data breaches and significant fiscal consequences in the industry.</p><p>Furthermore, in recent years, we experienced an explosion in the number of vulnerabilities from 2017 onwards, potentially due to the C++ spike in security issues and applicability [<xref ref-type="bibr" rid="scirp.128108-ref30">30</xref>] . This underscores the importance of secure coding practices, as more vulnerabilities mean more access points for attackers to target.</p></sec><sec id="s4_8"><title>4.8. Research Implications</title><p>By exploring the risk of using popular programming languages in everyday computer programs and websites, this research paper what risks are involved in using each language. Furthermore, by identifying the various uses of each language, this paper can help software programmers weigh the advantages and disadvantages of using specific languages for certain tasks.</p></sec></sec><sec id="s5"><title>5. Cyberattacks by Vulnerability Types</title><p>In this section, data and trends are analyzed in order to identify how secure different programming languages are by investigating how well each language reacts to the leading types of cyberattacks.</p><sec id="s5_1"><title>5.1. Cross-Site Scripting (XSS)</title><p>To recoup, cross-site scripting, or XSS, is a type of cyberattack that occurs when attackers incorporate malicious code into a credible website to attack an unsuspecting user. Vulnerabilities susceptible to XSS can be found very often; according to a Virginia Journal of Science study, more than 60% of web applications are vulnerable to XSS attacks [<xref ref-type="bibr" rid="scirp.128108-ref31">31</xref>] .</p><p>XSS is commonly found among the top vulnerability list of leading coding languages. According to the mend.io WhiteSource Report, PHP, Javascript, Java, and Python all feature XSS as one of their top three most common security vulnerabilities [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] . This trend exemplifies XSS’s threat to several websites, as PHP and Javascript are ubiquitous in website development.</p></sec><sec id="s5_2"><title>5.2. Input Validation</title><p>Input Validation is a process that involves verifying a user’s input to ensure it follows a set of standards. For example, an input field asking for an email address from the user can verify the user’s input by checking for an “@” symbol and other features. However, this process can sometimes be bypassed. Attackers may also be able to obtain private information. One scenario in which this could happen is when a person orders an item off of a website but inputs an SQL command that fetches the credit card numbers of different people who have previously ordered.</p><p>Input Validation is widespread among top coding languages. According to Mend’s WhiteSource Report, the CWE for Input Validation is second-most common in C, Java, and C++ and is most common in Python (when compared to other CWEs) [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] .</p></sec><sec id="s5_3"><title>5.3. SQL Injection</title><p>SQL Injection is a strategy that attackers use against weak input validation. Attackers can input a malicious SQL string of code into a website, allowing them to access restricted information from databases. In a basic example, attackers could type “SELECT * FROM Users” in a text box to get the elements in the “Users” table.</p><p>Mend’s WhiteSource Report ranks SQL Injection as SQL’s second-most common CWE vulnerability [<xref ref-type="bibr" rid="scirp.128108-ref7">7</xref>] . Furthermore, according to research by the internet company Akamai, SQL Injection accounts for over 65.1% of all web application attacks [<xref ref-type="bibr" rid="scirp.128108-ref32">32</xref>] .</p></sec><sec id="s5_4"><title>5.4. Out-of-Bounds Write</title><p>Out-of-bounds Write occurs when a program writes data outside a set buffer, causing the program to crash or fail to run. Another name for this is Buffer Overflow. Attackers can take advantage of buffer overflow to crash the program on purpose or cause the program to do what the attacker wants.</p><p>According to the CWE website, Out-of-bounds Write ranks first in their 2022 Top 25 Most Dangerous Software Weaknesses list [<xref ref-type="bibr" rid="scirp.128108-ref33">33</xref>] .</p></sec></sec><sec id="s6"><title>6. Conclusions</title><p>This paper aimed to answer the research questions: (1) What do coding vulnerabilities/security risks come with using different languages? and (2) Which coding languages are most vulnerable when faced with the most common cyberattacks? To answer these questions, the various vulnerabilities that affect trending programming languages were analyzed by the top CWEs and other trends for each language. C and C++ experience the most vulnerability and are most vulnerable to cyberattacks. While Python, Java, JavaScript, and PHP are not entirely secure, they still are relatively safer than C and C++.</p><p>In order to decrease the frequency of cyberattacks, future users of programming languages must take into account common vulnerabilities for each language and be mindful not to replicate such security threats. This is especially important for users of C and C++, who can drastically minimize the number of vulnerabilities in their code by adding security measures to prevent hackers from exploiting such vulnerabilities.</p></sec><sec id="s7"><title>Conflicts of Interest</title><p>The author declares no conflicts of interest regarding the publication of this paper.</p></sec><sec id="s8"><title>Cite this paper</title><p>Sakharkar, S. (2023) Systematic Review: Analysis of Coding Vulnerabilities across Languages. Journal of Information Security, 14, 330-342. https://doi.org/10.4236/jis.2023.144019</p></sec></body><back><ref-list><title>References</title><ref id="scirp.128108-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">Petrosyan, A. (2023) Number of Data Breaches and Victims U.S. 2022. Statista. https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/</mixed-citation></ref><ref id="scirp.128108-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">Olsen, K.A (2010) Two Cases of Bad Web Usability: Banking and Employee Self Service, UniTech 2010, Oslo, Tapir Forlag (19.05). http://medialt.no/pub/uikt/u2010/035-Olsen/index.html</mixed-citation></ref><ref id="scirp.128108-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">Caballero, C. (2019) Software Architecture: Therac-25 the Killer Radiation Machine.https://www.carloscaballero.io/software-architecture-therac-25/</mixed-citation></ref><ref id="scirp.128108-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">Ladkin, P.B. (1998) The Ariane 5 Accident: A Programming Problem? http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/Research/Rvs/Misc/Additional/Reports/ariane.html</mixed-citation></ref><ref id="scirp.128108-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">Khandelwal, S. (2015) These Top 10 Programming Languages Have Most Vulnerable Apps on the Internet.https://thehackernews.com/2015/12/programming-language-security.html</mixed-citation></ref><ref id="scirp.128108-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">(2022) TIOBE Index. https://www.tiobe.com/tiobe-index/</mixed-citation></ref><ref id="scirp.128108-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">Mend (2022) Most Secure Programming Languages. https://www.mend.io/most-secure-programming-languages/</mixed-citation></ref><ref id="scirp.128108-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">Bless, G. (2021) Most Common Python Vulnerabilities and How To Avoid Them. https://infosecwriteups.com/most-common-python-vulnerabilities-and-how-to-avoid-them-5bbd22e2c360</mixed-citation></ref><ref id="scirp.128108-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">(2022) Stack Overflow Developer Survey 2021.https://insights.stackoverflow.com/survey/2021#most-popular-technologies-language</mixed-citation></ref><ref id="scirp.128108-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">Hollander, M. (2020) Most Common Security Vulnerabilities Using JavaScript. Secure Coding.https://www.securecoding.com/blog/most-common-security-vulnerabilities-using-javascript/</mixed-citation></ref><ref id="scirp.128108-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">Oracle (2022) Moved by Java Timeline. https://www.oracle.com/java/moved-by-java/timeline/</mixed-citation></ref><ref id="scirp.128108-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">DZoneRefcardz (2022) Java Application Vulnerabilities. https://dzone.com/refcardz/java-application-vulnerabilities#section-3</mixed-citation></ref><ref id="scirp.128108-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">Rahaman, S., et al. (2019) CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-Sized Java Projects. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, 11-15 November 2019, 2455-2472. https://doi.org/10.1145/3319535.3345659</mixed-citation></ref><ref id="scirp.128108-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">HPE: Hewlett Packard Enterprise (2022) Making C Less Dangerous.https://www.hpe.com/us/en/insights/articles/making-c-less-dangerous-1808.html</mixed-citation></ref><ref id="scirp.128108-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">Parasoft (2020) Battling Buffer Overflows &amp; Other Memory Management Bugs. https://www.parasoft.com/blog/battling-buffer-overflows-other-memory-management-bugs/</mixed-citation></ref><ref id="scirp.128108-ref16"><label>16</label><mixed-citation publication-type="other" xlink:type="simple">Dias, B. (2022) Most Dangerous CWEs of 2021. https://checkmarx.com/blog/most-dangerous-cwes-of-2021/</mixed-citation></ref><ref id="scirp.128108-ref17"><label>17</label><mixed-citation publication-type="other" xlink:type="simple">Raygun Blog (2021) 10 Popular PHP Frameworks for Web Developers to Consider in 2021. https://raygun.com/blog/top-php-frameworks/</mixed-citation></ref><ref id="scirp.128108-ref18"><label>18</label><mixed-citation publication-type="other" xlink:type="simple">Singla, L. (2021) What Is PHP for Web Development and Why Should You Use It? Insights—Web and Mobile Development Services and Solutions. https://www.netsolutions.com/insights/what-is-php/</mixed-citation></ref><ref id="scirp.128108-ref19"><label>19</label><mixed-citation publication-type="other" xlink:type="simple">upGrad blog (2022) Top 12 Fascinating Python Applications in Real-World [2022].https://www.upgrad.com/blog/python-applications-in-real-world/</mixed-citation></ref><ref id="scirp.128108-ref20"><label>20</label><mixed-citation publication-type="other" xlink:type="simple">Coursera (2023) What Is Python Used For? A Beginner’s Guide.https://www.coursera.org/articles/what-is-python-used-for-a-beginners-guide-to-using-python</mixed-citation></ref><ref id="scirp.128108-ref21"><label>21</label><mixed-citation publication-type="other" xlink:type="simple">Meltzer, R. (2020) What Is JavaScript Used For? Lighthouse Labs. https://www.lighthouselabs.ca/en/blog/what-is-javascript-used-for</mixed-citation></ref><ref id="scirp.128108-ref22"><label>22</label><mixed-citation publication-type="other" xlink:type="simple">(2022) Usage Statistics of JavaScript as Client-Side Programming Language on Websites. https://w3techs.com/technologies/details/cp-javascript</mixed-citation></ref><ref id="scirp.128108-ref23"><label>23</label><mixed-citation publication-type="other" xlink:type="simple">Future Learn (2022) What Is Java Used for? 6 Practical Java Uses. https://www.futurelearn.com/info/blog/what-is-java-used-for</mixed-citation></ref><ref id="scirp.128108-ref24"><label>24</label><mixed-citation publication-type="other" xlink:type="simple">New Relic (2022) 6 Amazing Ways You Can Use Java. https://newrelic.com/blog/nerd-life/what-you-can-do-with-java</mixed-citation></ref><ref id="scirp.128108-ref25"><label>25</label><mixed-citation publication-type="other" xlink:type="simple">OpenEDG (2022) Learn C and C++, the Languages of the Past and Today. https://edube.org/learn/cpp-essentials-v20-docs/c-essentials-v1-1-faq-3</mixed-citation></ref><ref id="scirp.128108-ref26"><label>26</label><mixed-citation publication-type="other" xlink:type="simple">Castro, S. (2021) 6 Reasons C++ Is Still In Use Today. https://jobsity.com/blog/6-reasons-c-is-still-in-use-today</mixed-citation></ref><ref id="scirp.128108-ref27"><label>27</label><mixed-citation publication-type="other" xlink:type="simple">Chris, K. (2021) What Is PHP? The PHP Programming Language Meaning Explained. https://www.freecodecamp.org/news/what-is-php-the-php-programming-language-meaning-explained/</mixed-citation></ref><ref id="scirp.128108-ref28"><label>28</label><mixed-citation publication-type="other" xlink:type="simple">Fleury, D. (2020) 7 Global Websites That Use PHP in 2022. Trio Developers. https://www.trio.dev/blog/companies-using-php</mixed-citation></ref><ref id="scirp.128108-ref29"><label>29</label><mixed-citation publication-type="other" xlink:type="simple">Almansoori, M., Lam, J., Fang, E., Soosai Raj, A.G. and Chatterjee, R. (2021) Textbook Underflow: Insufficient Security Discussions in Textbooks Used for Computer Systems Courses. Proceedings of the 52nd ACM Technical Symposium on Computer Science Education, Virtual Event, 13-20 March 2021, 1212-1218. https://doi.org/10.1145/3408877.3432416</mixed-citation></ref><ref id="scirp.128108-ref30"><label>30</label><mixed-citation publication-type="other" xlink:type="simple">NVD: National Vulnerability Database (2022) CVSS Severity Distribution over Time. https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time#CVSSSeverityOverTime</mixed-citation></ref><ref id="scirp.128108-ref31"><label>31</label><mixed-citation publication-type="other" xlink:type="simple">Mack, J., Hu, Y.H. and Hoppa, M.A. (2019) A Study of Existing Cross-Site Scripting Detection and Prevention Techniques Using XAMPP and Virtual Box. Virginia Journal of Science, 70, 23 pp.</mixed-citation></ref><ref id="scirp.128108-ref32"><label>32</label><mixed-citation publication-type="other" xlink:type="simple">(2019) Akamai Threat Research Points to Gaming Industry as a Rising Target with 12 Billion Attacks and Counting. https://www.akamai.com/newsroom/press-release/state-of-the-internet-security-web-attacks-and-gaming-abuse</mixed-citation></ref><ref id="scirp.128108-ref33"><label>33</label><mixed-citation publication-type="other" xlink:type="simple">CWE: Common Weakness Enumeration (2022) 2022 CWE Top 25 Most Dangerous Software Weaknesses. https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html</mixed-citation></ref></ref-list></back></article>