As service-oriented computing becomes more prevalent, an increasing number of applications will be developed using existing software components with standard interfaces. These components may be developed in-house, may represent purchased software, or may involve vendor located leased services. The use of multiple services, possibly utilizing different technologies and different sources, has significant implications for the performance and security of these applications to support a business process effectively. Estimating performance and security in this distributed environment is a hard problem. This paper examines how performance and security measures can be developed for service-based applications. Business processes are broken down into constituent tasks and a formal mechanism is developed for deriving performance and security measures for the application. Given the competing nature of these two objectives, a tradeoff strategy is utilized wherein managers can trade improved performance for reduced security or vice versa. As the number of alternative services for each task increases, the composition problem becomes combinatorially explosive. A genetic algorithm approach is adopted to find the Pareto optimal set of services that can be assembled to support the business process. An application to a real-world business process illustrates its effectiveness. (C) 2010 Elsevier B.V. All rights reserved.