In order to bake security into application design, we introduce an adaptation to the Command pattern: command instances are tagged with the permissions required to perform them for each object they manipulate. Prior to executing a command instance issued by a given user, an execution engine validates the user has the required permissions over the objects the command is about to operate on. Stating the required permissions can often be declarative. In addition to the usual advantages offered by the command pattern (such as standardized operation handling), this adaptation creates a single checkpoint for validating permissions throughout the application. This, in turn, enhances application security and reduces code duplication, for example between the API and UI controllers. Disadvantages include the lack of framework support, and a learning curve for existing developers. We have used this design in implementing Dataverse, a widely-used institutional data repository developed at Harvard University, which has been in production use since May 2015. As this design differs significantly from common web application design, we also look at how the development team adapted to it, and at how using it affected our development process.