OSB Security, is it worthwhile securing Both the Proxy Service and The Business Service?
Or just the Proxy service?
In other words if the business service is not configured with security, could this be a security hole?
I will link to a couple parts of the documentation for you:
Now, when you say "if the business service is insecure", you're actually pointing out what needs to be understood. Can you call a Business Service from a context OUTSIDE of the Proxy Service that you wrote it for? I would say that there are plenty fo Business Services that you could call from ANY Proxy Service in OSB, so if you feel that at the OSB level, you are concerned some developer might code something against your business service and call it without needing to provide some sort of authentication/authorization, you probbaly will need to secure it.
Furthermore, if you're able to call the Business Service from outside of the box (as you would do with a Proxy Service), then you're likely to face the same sets of concerns as far as letting anyone call that service if they happen to find the URL for it.
This might not be the best answer, but I think your question could use some refining to ask more specifically, "Can Business Services be invoked directly from outside of SBConsole?", which I unfortunately don't have a good answer for you.
I think an even better question is "What vectors can an OSB Business Service be invoked from?" as it points out WHERE you have to look to ensure that people aren't trying to call your sensitive business services directly.