Web applications often run in environments with AllPermission (Java) or FullTrust (.NET) turned on.

This limits the ability of the virtual machine to control the actions of code running under its control. Implementing code access security measures is not only useful for mitigating risk when running untrusted code – it can also be used to limit the damage caused by compromises to otherwise trusted code.