In general, when you implement a basic SOAP web service, you are exposing the service to the world, good and bad. The main worry you have to consider in your code is validating inputs. Naively accepting strings in particular can be very damaging. If there is ANY value a number can be that you can't handle, look for it and don't continue. If you accept strings, make sure you thoroughly sanitize them (look for and be very suspicious of semicolons, and escape every "special character" you see).
A common attack on a naive service that uses unsanitized strings in a SQL query might look like "ABC'; drop database master;". If your code injected that into a SQL query without noticing the artificial query termination and malicious script, you could be cleaning out your desk the next day. The solution is very simple; escape the single quote, replace the semicolon with an ASCII or Unicode representation that you can translate back from (or simply strip it out), and the service call will treat it like the garbage it is.
That brings up a second point; your web services, even though they're your code, should be the subject of great suspicion in the rest of your system. Web services should use DB authentication that provides the least possible permissions to do their job. If your service uses an administrator or DBO login, you are almost certainly wrong; the above query, if it went through, would actually be executed, and your master DB is gone rendering your DB server inoperable. If your service used a login that very strictly controlled the permissions to only what the service needed, SQL Server would barf, but that is infinitely preferable to losing your master DB.
Also, be very careful about exception handling. A poorly-formed exception, which will be returned through SOAP much like a valid result, can include confidential information, encouraging an attacker to try to make your service throw an exception that has useful information about the implementation behind the service. SQL/ADO exceptions are particuarly over-helpful to attackers because they provide information about your data structure that could be exploited to cause trouble. Look for things that could throw exceptions beyond your control, and handle the situation gracefully before the CLR or other layers deeper than your code can barf. Trapping all exceptions is generally bad practice elsewhere, but "catch-and-release" with some sanitization could be a good idea here, and very generic 500 error redirects, which usually indicate exception trapping, are common practice in the webosphere. If you want or have to throw an exception in your code, craft it carefully and don't include any information you don't want the world knowing.
From an architectural standpoint, think of your services like an electrical outlet in the wall. The plugs are the ONLY way to get what you want (power) out of the wall. You know there are J-boxes, conduit, switches, etc. but you can't access them without a lot of (literal) hacking. Following this analogy, your endpoints should be set up to listen on specified, known ports, and the rest of the system should look like a wall from the outside; all other ports should be closed.