Share via


CA2103: Review imperative security

Note

This article applies to Visual Studio 2015. If you're looking for the latest Visual Studio documentation, see Visual Studio documentation. We recommend upgrading to the latest version of Visual Studio. Download it here

Item Value
TypeName ReviewImperativeSecurity
CheckId CA2103
Category Microsoft.Security
Breaking Change Breaking

Cause

A method uses imperative security and might be constructing the permission by using state information or return values that can change as long as the demand is active.

Rule Description

Imperative security uses managed objects to specify permissions and security actions during code execution, compared to declarative security, which uses attributes to store permissions and actions in metadata. Imperative security is very flexible because you can set the state of a permission object and select security actions by using information that is not available until run time. Together with that flexibility comes the risk that the runtime information that you use to determine the state of a permission does not remain unchanged as long as the action is in effect.

Use declarative security whenever possible. Declarative demands are easier to understand.

How to Fix Violations

Review the imperative security demands to make sure that the state of the permission does not rely on information that can change as long as the permission is being used.

When to Suppress Warnings

It is safe to suppress a warning from this rule if the permission does not rely on changing data. However, it is better to change the imperative demand to its declarative equivalent.

See Also

Secure Coding Guidelines Data and Modeling