--- title: Avoid pseudo-random numbers description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Avoid pseudo-random numbers --- # Avoid pseudo-random numbers {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **ID:** `kotlin-security/no-pseudo-random` **Language:** Kotlin **Severity:** Error **Category:** Security **CWE**: [330](https://cwe.mitre.org/data/definitions/330.html) ## Description{% #description %} This rule enforces the use of secure and unpredictable random numbers in Kotlin applications. Using pseudo-random numbers can make your code vulnerable to attacks because pseudo-random numbers follow a deterministic sequence that can be predicted if the initial seed is known. This is especially crucial in contexts such as generating encryption keys, generating random identifiers, or performing any other security-related functionalities. To adhere to this rule, avoid using `SecureRandom` with a fixed seed using the `setSeed()` method or passing a byte array to the `SecureRandom` constructor. Both of these methods produce pseudo-random numbers, which can lead to vulnerabilities in your code. Also, avoid reseeding a `SecureRandom` instance with a predictable value, such as the current time. Instead, create a `SecureRandom` instance without a set seed, or use `SecureRandom.getInstanceStrong()`. Following these best practices helps you generate secure and unpredictable random numbers in your Kotlin applications. ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```kotlin import java.security.SecureRandom // Setting a fixed numeric seed val random1 = SecureRandom() random1.setSeed(123456L) // Noncompliant // Setting a fixed string seed val random2 = SecureRandom("myseed".toByteArray()) // Noncompliant // Reseeding with predictable value val random3 = SecureRandom() val time = System.currentTimeMillis() random3.setSeed(time) // Noncompliant: timestamp is predictable ``` ## Compliant Code Examples{% #compliant-code-examples %} ```kotlin import java.security.SecureRandom // Let SecureRandom choose its own seed val random1 = SecureRandom() val bytes = random1.nextBytes(32) // Use strong instance (preferred) val random2 = SecureRandom.getInstanceStrong() val number = random2.nextInt() ``` Seamless integrations. Try Datadog Code SecurityDatadog Code Security {% icon name="icon-external-link" /%}