Audit required: Insecurely generated random number CS-A1008

Random is a pseudo-random number generator, which is an algorithm that produces a sequence of numbers that meet certain statistical requirements for randomness. Because the number generated is not random enough for sensitive operations, consider using RandomNumberGenerator from System.Security.Cryptography namespace instead.

Bad Practice

var random = new Random();

Recommended

var randomGenerator = RandomNumberGenerator.Create();

Reference

• Random
• RandomNumberGenerator
• A02:2021: Cryptographic Failures
• V3: Cryptography Requirements
• CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
• CWE-1241: Use of Predictable Algorithm in Random Number Generator