Microsoft released WSE Policy Advisor – a tool for checking policy correctness. It is called the FxCop tool for web services.

Sample output from the report:

Alarm: Test root certificates are allowed.
Risk: Any usage of X.509 certificates for signing or encrypting is unsafe. An active attacker can generate valid test certificates, then for instance use these certificates to sign any message.
Advice: Do not use test keys in production: set the attribute allowTestRoot=”false” in the element of the WSE configuration file.