 
                            The C Standard function rand (available in stdlib.h) does not have good random number properties.  The numbers generated by rand have a comparatively short cycle, and the numbers may be predictable.
Non-Compliant Code Example
The following code generates an ID with a numeric part produced by calling the rand() function.  The IDs produced will be predictable and have limited randomness.
enum {len = 12};
char id[len];  // id will hold the ID, starting with the characters "ID"
               // followed by a random integer
int r;
int num;
...
r = rand();  // generate a random integer
num = snprintf(id, len, "ID%-d", r);  // generate the ID
...
Compliant Solution
A better pseudo random number generator is the BSD function random.
enum {len = 12};
char id[len];  // id will hold the ID, starting with the characters "ID"
               // followed by a random integer
int r;
int num;
...
srandom(time(0));  // seed the PRNG with the current time
...
r = random();  // generate a random integer
num = snprintf(id, len, "ID%-d", r);  // generate the ID
...
The rand48 family of functions provides another alternative.
Note.  These pseudo random number generators use mathematical algorithms to produce a sequence of numbers with good statistical properties, but the numbers produced are not genuinely random.  For true randomness, Linux users can use the character devices /dev/random or /dev/urandom, but it is advisable to retrieve only a small number of characters from these devices.  (The device /dev/random may block for a long time if there are not enough events going on to generate sufficient randomness; /dev/urandom does not block.)
Risk Assessment
Using the rand function may lead to programming problems (for example, non-unique unique IDs) or weak cryptography.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| MSC30-C | 1 (low) | 1 (low) | 1 (high) | P1 | L3 | 
Examples of vulnerabilities resulting from the violation of this rule can be found on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 7.20.2.1, "The rand function"