Or why maybe using random() is a terrible idea. Use arc4random() instead on FreeBSD/OpenBSD/Mac OS X for a MUCH better random number generation, and best of all it is auto-seeded.
The only caveat is that you then have to wrap it in an #ifdef if you want source portability. The thing random() has over arc4random() is exactly that - it's part of the standard C library on most platforms.
For discussion: Why is random() not already arc4random() on platforms that provide the arc4 variant? Is it for speed's sake? Different implementations of libc functions will seed differently, so it's not a cross-platform seed stability concern.
Is the problem that you can't seed it with a fixed value and get the same pseudorandom sequence?
Yes, because of the need for pseudorandom sequences. In FreeBSD this comes up every so often, but the reality is that there's a lot of AI and simulation/modeling code that uses the libc random functions (either rand(3) or random(3)) and expects reproducible behavior with the same seed both throughout the life of a program and across multiple executions.
That could easily be accommodated by implementing random_ng() to take an optional buffer that the PRNG would use to initialize its state. If a buffer is not passed, use a random or pseudorandom entropy source... whatever's available on the system. From ivy bridge on, intel cpus will have the RdRand instruction, or there's /dev/urandom.
That offers the best of both worlds. If you want repeatably, initialize random_ng() with a known buffer. If you want reasonable unpredictability, let the PRNG initialize itself using whatever it wants. (Not to confuse that PRNG with good entropy randomness that might be accessible from RdRand, or which is usually obtained by asking the user to move the mouse.)
You use random() when you need the statistical appearance of random numbers, and potentially the ability to generate the same sequence deterministically. It's not intended for the same use case as arc4random() (which is itself probably not one of the best CSPRNGs).
(i) arc4random is among the older of the widespread CSPRNGs (WinAPI CryptGenRandom is of the same vintage but has been updated).
(ii) arc4random is an implementation of RC4, which is not a well-regarded stream cipher particularly with regard to biases.
(iii) As I recall (note: I could be totally wrong here) arc4random depends on RC4 as its entropy management function; modern designs tend to use secure hash functions for this.
(iv) arc4random in isolation implements only one component of what Ferguson and Schneier would call a cryptographically secure random number generator (the "generator"); it doesn't handle entropy gathering, it doesn't handle heterogenous entropy sources, it doesn't manage entropy pools, and it doesn't build in functionality for handling cold starts (ie, it doesn't inherently persist its state).
One issue that encapsulates all of these (and also blunts any criticism you might perceive of OpenBSD in this comment) is that arc4random as implemented in OpenBSD is not the same thing as openbsd-lib/arc4random.c; OBSD handles entropy gathering, for instance, in the kernel. On the other hand, FreeBSD ignored some of these issues back in 2008 and had a cold start problem. Point being: if you just grab arc4random.c from OpenBSD CVS and stick it in your project, you probably hurt your security.
I like Thomas Pornin's suggestion to this on Stack Overflow: take AES (you probably have it in hardware on modern Intel chipsets) and run it in CTR mode, with random (from random sources) entropy keys (expanded with a fast secure hash), rekeying regularly; this has the advantage of keeping the RNG state in some sense away from attackers as well.
But of course what you really ought to do is just use /dev/random.
For discussion: Why is random() not already arc4random() on platforms that provide the arc4 variant? Is it for speed's sake? Different implementations of libc functions will seed differently, so it's not a cross-platform seed stability concern. Is the problem that you can't seed it with a fixed value and get the same pseudorandom sequence?