Original Post: Should random() be banned?
The content discusses whether developers should be alerted when non-cryptographically secure random() functions are used, a practice identified by tools like Bandit and gosec. Academics argue for flagging these as potential vulnerabilities, while practitioners question the necessity due to common usage in non-sensitive operations. This debate highlights a disconnect between theoretical static analysis and practical application, where true positive rate is often the metric for quality.
At r2c, they sought to understand how static analysis rules perform in real-world scenarios by developing a new metric called Fix Rate, which measures the percentage of merge-blocking issues resolved by developers. Observing a 0% Fix Rate for random() in their projects, they chose to silence the rule for developers but notify the security team, enhancing internal feedback and adjustments.
This approach was shared with Figma’s security team, which found it effective for rule development and integrating security analysis into their workflow.
The content concludes with a vision of improved developer-centric static analysis, emphasizing practical feedback over pre-existing benchmarks.
Luke O’Malley, Head of Product and Co-Founder at r2c, authored the piece.
Go here to read the Original Post