Code, particularly security-relevant code, should be clearly documented. Developers should specify any security relevant assumptions, preconditions, or side effects clearly in the documentation.