Service-oriented architecture (SOA) is a powerful distributed computing paradigm that provides high-level abstractions for developing, deploying, and executing distributed systems while hiding many platform-level details. SOA platforms host functionality as deployed services, support decoupled interaction between service providers and service consumers, and manage low-level plumbing and dispatching among various deployed components. As with any distributed computing platform, SOA presents challenges for security and survivability beyond those that exist in more static and local platforms. As SOA platforms become popular and more widely used in a variety of distributed systems, it is important to explore their security challenges and vulnerabilities, and to understand how well those are addressed by the current security features of SOA platforms. This paper reports on a case study that evaluated the vulnerability profile of a SOA platform based on the popular open source JBoss Application Server.