In case you missed it, last week the body charged with driving real-world web service interoperability (WS-I) has released version 1.0 of the Basic Security Profile.
For ISV's, the WS-I work gives you a target to build & test your services against that will give you some assurance that your product will actually be interoperable with web services clients and services on various platforms and from various vendors or open source proejcts. In the case of BSP 1.0, that taget grows to include operating web services in secure scenarios including message-level authentication, transport level security and other options. Check out the final profile for details.
While this spec can be a little overwhelming, the good news for ISV's developing on the Microsoft platform is that all this is taken care of for you by using Windows Communication Foundation through the built in BasicHttpBindng. As more advanced standards continue to evolve, you can expect Microsoft to publish binding configurations that do the heavy lifting while you continue to focus on building business value into your applications and services.