Security PS Internships and Apprenticeships for High School Seniors and Current College Students

Right now, high school and college age students have an opportunity to start internships and apprenticeship positions on the Security PS Application Security team learning the fundamental concepts and skills necessary to pursue a professional career in this high demand field. Our team of cybersecurity experts has a passion for investing into the upcoming workforce and we've created these programs to give hard working students the opportunity, mentoring, and resources to accelerate their growth toward a professional career.

Who is this for?
Security PS is hiring high school seniors and current college students as interns and apprentices NOW! You don’t need a college degree to get started, and you don’t have to wait until May. Students can work part-time while finishing (and prioritizing) school. Security PS is holding an information session on Wednesday, March 25th at 3:00 PM over Google Hangouts for students, parents, and teachers interested in learning more. Please fill out this form to be invited to that information session.

What can you expect?
During the internship and apprenticeship programs, students will strengthen their existing software development skills to build a solid foundation towards application penetration testing. Then, Security PS will provide training and mentorship to equip them with the technical and soft skills necessary to find and exploit application security vulnerabilities and report them to customers. As apprentices and interns become proficient at working on projects and identifying vulnerabilities, they will be promoted to an associate application security engineer with the option to begin working full-time.

About Security PS
Security PS is a 18-year old Kansas City company that has earned a high reputation in the industry for delivering quality work and for its excellent team. Internally, we have developed a culture that enjoys pursuing knowledge through self-study and then teaching those skills to the rest of the team.
Security PS provides a supportive team environment that gives employees opportunity for growth and ongoing professional development in a range of areas. Designed to fit the work style of our team, we've moved away from the traditional office and have adopted a virtual office but with a local team presence. This allows us to work flexibly from home, collaborate virtually, and also have the opportunity to meet and collaborate face to face as well. Regular team events and hangouts also add to the collaborative team culture. Security PS values employees as people. Our company has a 40-45 hour work week and managers have a genuine interest in each person’s well being.

My WCF Experience (Part 1)

Hello World

One of the core aspects of Security PS is the leadership’s emphasis and priority on continuing professional development. I have been afforded a great deal of research and development time to grow my security and application development knowledge. So, I've decided to blog a bit of what I'm learning in hopes that my "aha" moments may help and spur on others on a similar journey.

A New Target: WCF

In our team's application security testing projects, there are times where we encounter applications that use "Windows Communication Foundation" (WCF) to communicate between application components. I was new to WCF, so one of my teammates and mentors, Nick Coblentz, tossed me in the deep end of Windows WCF communication so I could get a good handle on how to test such applications for security concerns. Nick gave me a crash course and some exercises to understand WCF, their security implications, and how to test them. Essentially, I first had to build a service myself and implement different service configurations. Then I needed to figure out how to listen to the communication and identify the circumstances and methods that would enable me to manipulate the communication. Over the next few posts, I'm going to walk through me figuring out this process and share a few things I learned along the way.

WCF - What is it good for? (and what even is?)

Windows Communication Foundation (WCF) originally was code-named Indigo and was released with .NET 3.0 in 2006. According to Microsoft, WCF “is a framework for building service-oriented applications.” WCF was built to support a whole suite of features, including interoperability, data contracts, security, multiple transports and encodings, and reliable and queued messages (Source: https://docs.microsoft.com/en-us/dotnet/framework/wcf/whats-wcf).

Today, it appears the general Internet consensus is that more and more enterprises are moving away from WCF towards WebAPI for its ease in supporting not only websites but also mobile devices and tablets. However, WCF has been a core part of service-oriented infrastructure over the Internet for over a decade, and so it still bears relevance today. Not only due to pervasiveness, WCF is likely to remain a core part of service-oriented architecture for the time being because WCF and WebAPI are complementary and not mutually exclusive. WCF by design supports a service-oriented architecture and implements Web Services (WS) protocols based on SOAP specifications for stateless applications, whereas WebAPI supports resource-oriented architecture and pairs much better with Restful frameworks where stateful applications are concerned.

Now that we have an understanding of what WCF is, I'll share how I implemented my first WCF service.

The Setup

First, I set out to build a basic WCF service. No fancy bells, no fancy whistles. Just a WCF service out of the box. Microsoft has done a good job with providing documentation on their website to assist with setting up an initial WCF service. As I mentioned previously, this is not a tutorial blog post, but I followed this walkthrough to help me get a basic service up and running along with a client. For me, my application was a simple Windows Form that:
Asked for a username and password
Checked the combination against an Excel “database”
Returned whether the credential pair was valid or not.

This simple application was designed to mimic an intranet login application, which you can see in the two screenshots below.

Login Form with Valid Response Message 

Login Form with Invalid Response Message
Now, the default WCF service generated by Visual Studio 2017 is a “basicHttpBinding” service. This is a very simple service with no default security mechanisms implemented - no TLS, no encryption, no message-level security. The returned message (either “Valid” or “Invalid”) told me the service and client was working properly, but I wanted to see how the mechanism underneath worked. Proxying the service through BurpSuite allowed me to inspect the transport mechanism.

WCF basicHttpBinding Observations

Intercepting POST Request with BurpSuite
Viewing raw response with BurpSuite
 The first observation one may make about the above screenshots is the presence of the SOAP envelope and body. As previously mentioned, WCF implements the SOAP framework. This point is proved by the request and response shown in the screenshots. 

The second observation one may make is that basicHttpBinding transmits everything via clear text with no predefined security implementations whatsoever. It does not support Web Services (WS) protocols or standards. By default, basicHttpBinding does not allow cookies, the encoding type is “Text”, and security is turned off.

Quick Conclusions

This was my introduction to WCF and playing with the out of the box basic configuration. Based on my initial observations, basicHttpBinding is simple to set up quickly, but it is not suitable for corporate solutions. However, most clients probably are not using basicHttpBinding. So, look for “My WCF Experience Part 2” where I set out to try to create a wsHttpBinding.