Services are usually developed and deployed independently; and systems can be formed by composing relevant services to achieve set goals. In such an open and dynamic environment, security is of paramount importance. We have seen much work in the traditional area of information and network security, focusing on developing various security techniques. More recently, there have been efforts in integrating the security techniques into languages and infrastructural support that are used for developing services and systems. In fact, the development of services and the composition of service-based systems are software engineering activities. As such, they need to be viewed from a software engineering perspective. In this paper, we introduce an approach to services security engineering, to answer the questions like what the security properties of services and service-based systems are and how they meet the users security requirements. It deals with the issues of (1) security property characterisation for services, (2) compositional security analysis for service-based systems, and (3) certification of services.