A database management system is provided for security of database objects. These objects may be passive elements such as tables, rows, views, the databases themselves, etc., or they may be executable items such as stored procedures or triggers. A mechanism is provided for "certifying" that certain types of objects such as stored procedures, triggers, and views can be safely used to access other, sensitive objects in the database. Certification indicates that (1) a security officer has evaluated and certified the object, and (2) the now certified object has not undergone a defined security-relevant change since certification. Certification is particularly important in the context of a "trusted" stored procedure or a "trusted" stored trigger. "Trusted" executable objects can be executed at sensitivity levels that exceed that of a user or subject. Thus, the subject may use a trusted stored procedure or trigger to access certain objects having higher sensitivity levels than his or her own. If the certified object changes in a security-relevant manner, its "certification state" changes from certified to "suspect" which causes the object to become unexecutable.