With the rapid development and wide application of the Web services, its security flaws and vulnerabilities are increasing. Security has become one of the key issues to constrain the development of Web services technology. In this paper, we focus on how to build a security architecture for Web services to meet the security requirements of Web service applications. On the basis of analyzing the existing methods, a new security implementation approach for Web services is proposed to meet both the common security requirements of Web services platform and the specific security requirements of Web service applications. Then a security architecture for Web services is proposed. The architecture supports separating the functional implementations of Web service from the non-functional implementation of Web service, and ensures the portability of the platform.