Well, it was not too long ago, all the security pundits were telling us how bad web services are for security, and some are still saying this right? Of course when someone tells you some technology is "bad" for security, the proper response is always: compared to what? So SOAP is somehow worse for security than DCOM or RMI-IIOP? Remind me all the great security tools that shipped with those protocols again?
Funny, but when all the big vendors and standards bodies have to sit down and work interop, they sometimes get something pretty nice. Rickard Oberg on SAML, XACML (emphasis added):
There are many other crucial technologies today, which are important for integrating webapps into a portal. It is curious to read forums where people bash things like portlets and WSRP and XACML and such. "Why would we want to run portlets in two servers? My Struts app works just fine on one Tomcat instance". Amazing. When you have been exposed to real-life DMZ environments a couple of times you start to wonder how the heck we get anything done *without* stuff like WSRP and security integration specifications like XACML and SAML. The conclusion appears to be that developers that don't get it simply aren't exposed to the realities of actually running the apps. For development it might make no sense to have several servers, or integration technologies like SAML and WSRP, but for real deployments they are essential. As long as application developers are in the dark with regard to these basic realities systems integrators are going to keep using hack upon hack in order to make house-of-cards type integration of apps.
Precisely the point, not only are Web Services not turning out to be "bad" for security, but the standards that they are generating - SAML, XACML, WS-* - are giving developers better security tools than they have ever had before.