Code access security authorizes code when it attempts to access secured resources, such as the file system, registry, network, other .NET assemblies and so on, or when it attempts to perform other privileged operations, such as calling unmanaged code or using reflection.
Code access security is an important additional defense mechanism that developers can use to provide constraints on a piece of code. An administrator can configure code access security policy to restrict the resource types that code can access and the other privileged operations it can perform. From a Web application standpoint, this means that in the event of a compromised process where an attacker takes control of a Web application process or injects code to run from inside the process, the additional constraints that code access security provides can limit the damage that can be done.
In .Net Framework; the authentication (identification) of code is based on evidence about the code, for example, its strong name, publisher, or installation directory. Authorization is based on the code access permissions granted to code by security policy.