Should random() be banned?

The text discusses the challenges of applying static analysis tools to software development, particularly the use of non-cryptographically secure functions like random() and the disconnect between theoretical accuracy and practical impact. It introduces the concept of "Fix Rate" as a new metric for evaluating the effectiveness of static analysis tools like Semgrep, which measures the percentage of merge-blocking findings that are fixed rather than muted in continuous integration (CI) processes. The text highlights the experience of r2c and Figma in using Fix Rate to refine security rules and practices, emphasizing the importance of real-world developer feedback in determining the efficacy of static analysis. The integration with platforms like GitHub is noted for bringing security analysis directly into the development workflow, allowing for rapid iteration and deployment of security rules.