It is therefore important to understand that the service may be used in ways not expected. This might be accidentally by an otherwise good-intentioned programmer wishing to create a useful application, but could equally be by a someone attempting to gain access to private data, or even to compromise a server.

A naive web service implementation might take previously internal methods and expose these externally. Whilst such methods may be tested to ensure that they function as anticipated, they are unlikely to have been thoroughly tested from a security point of view. For example, a page that displays a list of users might avoid showing private information such as date of birth. However the corresponding internal method is likely to return all known information on that user, including data that the user has asked to be kept private.

It is therefore important to make sure that any such interface to the site, even is intended for internal use, is defined with the rigour that would normally go into building an external interface for public use.

Where data is being accessed that should be restricted to certain users,that will obviously include authenticating the user through one of the many authentication schemes that have been created for use with web  services. And of course if the page itself is encrypted, then it is also likely that access to the web service will need to be encrypted.

The pace of change on the web means that a site nowadays will tend to get updated with new features much more often than ever before. This high rate of development can mean mistakes are made and we realised that from the start it made sense to develop a single platform that we now use with all our clients.

The platform is designed to be flexible, giving clients a stable, tested base with new functionality regularly been added. We can devote much more time to ensuring each new feature is fully tested for security than we could if we were developing features for clients individually. Reusing code in this way has eliminated problems that we might otherwise have seen if we had developed unique code for every client.