...
Although not specified by POSIX, arc4random() is another possibility for systems that support it. The arc4random(3) manual page [OpenBSD] states:
... provides higher quality of data than those described in rand(3), random(3), and drand48(3).
To achieve the best random numbers possible, an implementation-specific function must be used. When unpredictability is crucial and speed is not an issue, as in the creation of strong cryptographic keys, use a true entropy source, such as /dev/random, or a hardware device capable of generating random numbers. Note that the /dev/random device can block for a long time if there are not enough events going on to generate sufficient entropy.
...
| SEI CERT C++ Coding Standard | MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers |
| CERT Oracle Secure Coding Standard for Java | MSC02-J. Generate strong random numbers |
| MITRE CWE | CWE-327, Use of a Broken or Risky Cryptographic Algorithm CWE-330, Use of Insufficiently Random Values CWE-331, Insufficient Entropy CWE-338, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
Bibliography
...