In today’s global network-based environment, where mission-critical applications typically run on highly distributed systems, customers expect reliable, available, and secure services. Supporting security becomes an important issue in service-oriented architecture (SOA). This paper describes how to simultaneously support both dynamic security policies and separation of concerns when developing an SOA application. We propose the DPSL (dynamic policy specification language) for managing and controlling the security according to the dynamic behavior of the workflow in SOA. The operation model is compatible with existing SOA standards, such as the WSDL, WS-Policy, WS-Security- Policy, WS-ReliableMessaging, and the BPEL. As a result, existing standard Web-services engines and BPEL engines can be employed directly to support dynamic policies in SOA. The implementation and experimental results demonstrate the feasibility of the proposed architecture.