Security issues with Web services have slowed their adoption for deployment of critical services in the enterprise. Maintaining security in Web service architectures is especially difficult because of their open, standards based interfaces. Yet many organizations are moving to this technology and are faced with the challenge of certifying their environments as secure. Unique challenges exist with the combination of Web service authentication, network security vulnerabilities, incompatible security-mechanisms, open publication of interface definitions, and automated discovery of services. Certification processes mandate the need for a security certification boundary given identified vulnerabilities. In this paper, we review Web service security vulnerabilities and outline guidelines to form an enclave. The expressed guidelines are specific to certifying a service-oriented architecture implemented with Web services