Information systems of companies and organizations are increasingly designed using web services that allow different applications written in different programming languages to communicate. These systems or some parts of them are often outsourced on the cloud, first to leverage the benefits of cloud platforms (e.g., scalability) and also to reduce operational costs of companies as well. However, web services as well as cloud platforms may be the target of attacks that alter their security, and the security of web services is not completely addressed. The solutions proposed in the literature are sometimes specific to certain types of attacks and they cannot ensure the attack tolerance of web services. Attack tolerance can be defined as the capability of a system to function properly with minimal degradation of performance, even if the presence of an attack is detected. As such, we claim that, to achieve attack tolerance, one should detect attacks by a continuous monitoring and mitigate the effects of these attacks by reliable reaction mechanisms. For this aim, an attack tolerance framework is proposed in this paper. This framework includes the risks analysis of attacks and is based on diversification and software reflection techniques. We applied this framework to cloud applications that are based on web services. After describing the core foundation of this approach, we express such cloud applications as choreographies of web services according to their distributed nature. The framework has been validated through an electronic voting system. The results of these experiments show the capability of the framework to ensure the required attack tolerance of cloud applications.