By careful separation of concerns, security requirements and design for security services can be modeled separately from application concerns. This modeling approach reduces system complexity caused by mixing security requirements and designs with application requirements and designs This separation of concerns is also needed in the implementation phase to consistently reduce system complexity. This paper addresses separation of application and security concerns in the implementation phase of secure software development. Security components separated from application components in the software architecture are implemented via security aspects with aspect-oriented programming, whereas application components are implemented through application objects with object-oriented programming. The mapping scheme of security components to security aspects is described in terms of security requirements. A security aspect is committed whenever application objects need the security aspect. A business-to-business (B2B) electronic commerce system is used to validate the proposed approach using Java and AspectJ.