A growing number of deployments of wireless sensor networks (WSNs) position the nodes as multipurpose albeit limited platforms. These platforms offer services to a set of applications of different owners. This view introduces security problems complementary to protection against outsiders requiring mechanisms beyond the existing physical, base crypto and network-level protection. Limited trust in the different applications mandates a security solution providing granular control over resources and data. Because of the constrained nature of network-embedded systems, transferring solutions from the distributed systems domain to the embedded system requires optimization. Distributed monitors can provide adequate security but must be concise and controllable by lightweight run-time artifacts as well as be deployed only where needed. Presented research consists of an operational model that inserts controls by instrumentation of local or remote interaction in the resource-rich back end, subsequently enforcing control at the nodes by using scaled down policy engines. The selective injection is achieved through aspect-oriented techniques. The solution is demonstrated for two paradigms encountered when building WSN applications, thus achieving local resource protection and protection of distributed event-based data flow. The costs and benefits of the selective injection approach are validated and quantified through a river monitoring case and associated simulation experiments. Copyright © 2011 John Wiley & Sons, Ltd.