Web Services Best Practice

Web Services Best Practice

I would like to hear some suggestions for best practices when using web services, specifically implementing security with data exchange. I was thinking of a security key/token exchange workflow.
Id love to hear how some people are using web services, and their respective security measures.
Depends what kind of security you want :)

- At one company we have a 2-sided certificate implemented, which is not so easy with Outsystems ;)
- Other company the webservice are internal-only, so the firewall/router/dns makes sure only certain servers can reach the web services
- We also have a webservice implemented by a simple token.
- Another company we use a 2-method webservice, so first method is to get a token, second method is actually call the real stuff with the token. and the token is only valid once...
- In the header we often use username/pwd

So, my best practice is actually to understand the need for security for a webservice.
Is the webservice exposed to the internet yes/no
What kind of data is exposed?
What are the implications if data is exposed/misused?

Thanks for the detailed reply.
The web service WILL be exposed to the Internet.
The kind of data exposed is sensitive company information such as purchase order details and vendor contact details.
What do you suggest?
correct me if i'm wrong,

1. https
2. soap-authentication
3. allow only certain IP's to access the server (white-listing), makes it even harder to call your webservice.
4. hide the wsdl