A new paper I co-authored with Howard Lipson at CERT is online "Security Concepts, Challenges, and Design Considerations for Web Services Integration". It is part of the DHS Build Security In site that describes best practices for development staff who want to actually build security services into the software they are developing. The paper is really two papers in one - the first part is on web services and their impact on security concepts, the second part deals with message level security (WS-Security, WS-Trust, WS-SecureConversation) to enable end to end security model for an integrated system, and the last part is on design considerations for security in Web Services.
For sure the most fun was collaborating with Howard Lipson, Patrick Harding, Tony Nadalin, Gary McGraw, Eric Newcomer, Brian Roddy, Andy Gordon, Pat Christiansen, Mark O'Neill, Pamela Curtis, Nancy Mead, Bob Ellison, and others. We got really helpful feedback and worked hard to incorporate it all into the paper.