Web services are almost irresistible. Every popular IDE makes them easy to build -- to unlock the data and business logic in legacy systems, to provision common functions that can be shared across multiple platforms, or to provide partner organizations direct access to information or applications. And by their nature, Web services helpfully describe themselves, allowing one system to find and interact with another with little or no human intervention. Yet the very virtues that make Web services compelling -- their use of trusted ports and protocols, their ease in exposing back-end systems, their eagerness to describe exactly what services are offered and how to get at them, and their use of multiple intermediaries -- also make them a potential windfall for criminals crossing an enterprise's perimeter.
