I got this question recently, so I thought it would be good to answer here as well. Basically, the question is, "With all the threats out there, which of them should SOA architects be concerned with?"
What I see most are the threats that are related to messaging in terms of access to the XML payload. In traditional applications, we have gotten pretty good at authentication (even though that is still hackable sometimes). However, in SOA with web massaging across HTTP/HTTPS, it is easier to find a point in the messaging process where the payload can be accessed. This can lead to a variety of attacks: malware, large payloads, XPath injection, etc.
In my SOA testing course (which is soon to be in an online format - stay tuned!), I describe the nature of these attacks. Most are similar to traditional attacks, except oriented to SOA. Take for example XPath injection. It is similar to SQL injection attacks, except is uses the XPath to gain access to data that is thought to be protected.
Keep in mind that SSL secures the message in transit only, while WS-Security maintains encryption until the message is processed. There are some other advantages of WS-Security over SSL, such as being able to specify securing only part of a message if you like. This can help reduce the performance cost of security.
What have you seen as the "big threats" in SOA security?