Assurance cases are widely used in the safely domain, where they provide a way to justify the safety of a system and render that justification open to review. Assurance cases have not been widely used in security, but there is guidance available and there have been some promising experiments. There area number of differences between safety and security which have implications for how we create security cases, but they do not appear to be insurmountable. It appears that the process of creating a security case is compatible with typical evaluation processes, and will have additional benefits in terms of training and corporate memory. In this paper we discuss some of the implications and challenges of applying the practice of assurance case construction from the safety domain to the security domain.