Web services have been a cornerstone in the architecture of enterprise and startup solutions for many years. However, testing the security of web services is still considered a daunting and obscure task for many penetration testers. On the other side of the coin, full knowledge of how to properly secure web services is sporadic in the development community. In this two-hour session the instructor aims to to fill this knowledge gap by first defining and explaining web services and then walking through best practices for both testing and securing them. By the end of the session students should have a good understanding of the difference between SOAP-based and RESTful services. Students will also understand common attack vectors, which testing tools to use, and best practices for securing web services against these attacks.