In practice, security is very often neglected, for several reasons:
Security requires effort.
It is impossible to achieve absolute security (except by disconnecting distributed systems).
You might assume that the usual security mechanisms for the Internet (firewalls and special protocols such as SSL) are enough.
You might assume that SOA infrastructures usually provide enough security.
It is not clear whether security is an issue for the infrastructure team or the business teams.
The following subsections will discuss these topics, directly or indirectly.
In general, you should not assume that infrastructures (the Internet, Web Services, or any other middleware) deal with security in such a way that you don't have to think about it any longer.
The first problem is that there might be a lack of conceptual support. For example, the fundamental Web Services protocol doesn't deal with security: it was designed to provide connectivity. As [PulierTaylor06] claims about Web Services standards:
The new standards were also developed without security in mind . . . .None of these Open Standards (XML, SOAP, WSDL, and UDDI) contain any inherent security aspects of their own. If left alone, they are completely nonsecure. In fact, web services were designed to move efficiently through firewalls.
Similarly, process-modeling standards such as BPEL so far have no concept for composing and aggregating security concepts when they compose ...