Web service composition languages promise a cheap and effective means for application integration over the Internet as in typical B2B interaction scenarios. BPEL is the upcoming standard for web service composition and several implementations of it are already available. However, for web service composition languages to keep their promises it is essential to provide more support for security. Companies will embrace web service composition languages only if their requirements of confidentiality, integrity, authentication, etc. are fulfilled. In this paper, we look at security in web services compositions and present a framework for securing BPEL compositions using WS-Security and WS-Policy. The main components of our framework are the process container implemented by a set of aspects in AO4BPEL, an aspectoriented extension to BPEL, the security service and the deployment descriptor. We also introduce the notion of policy-based process deployment to check the compatibility of the security policies of the composition and its partners at deployment time.