Insecure Random Number Generation
Description
The rand() PRNG should not be used in applications intended to be portable when good randomness is needed. Instead, the use of random() is recommended.
Examples
Insecure Code
c
int x = rand();Secure Code
c
int x = random();Remediation
Replace rand() with a cryptographically secure pseudorandom number generator like random()
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0494 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-338 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | randomness, portability |
| OWASP | N/A |
References
- https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
- https://cwe.mitre.org/data/definitions/330
- https://cwe.mitre.org/data/definitions/338