As Richard Bejtlich observed the TCP/IP stack is becoming intertwingled with lots of other things. Certainly, Cisco's purchase of Reactivity should lead us to expect more angle brackets in the stack not less, meaning XML Security is important in infrastructure as well as in distributed apps.
One of the primary, robust ways to deal with XML Secuirty in SOAP, Web services, SOA, and Rest apps is to use a XML Security Gateway. These are very powerful tools, the downside for the enterprise is that they are hard to assess and analyze. I launched the OWASP XML Security Gateway Evaluation Criteria project to:
* Create evaluation criteria supporting a transparent, level playing field for XML Security Gateway solutions to define their solution's key value proposition
* Where practical, attempt to standardize nomenclature and metrics
* Educate the community on the design considerations for XML security
I have found Ivan Ristic's work on the Web Application Firewall Evaluation Criteria to be very helpful, and would be happy if we can achieve similar utility in the XML security space.