Review imperative security
Imperative security uses managed objects to specify permissions and security actions during code execution, as opposed to declarative security, which uses attributes to store permissions and actions in metadata. Imperative security is extremely flexible because you can set the state of a permission object and select security actions using information that is not available until run time. With that flexibility comes the risk that the runtime information that you use to determine a permission's state does not remain unchanged while the action is in effect.
Use declarative security whenever possible. Declarative demands are easier to understand and can be detected by tools such as Permview.exe.