Hacking The Business Capability Stack: Make Corporate Bureaucracy Work For You presented at ShmooCon 2011

by Javier Sanchez,

Tags: Security Business

URL : http://www.shmoocon.org/schedule#business

Summary : A business capability is a functional unit within a business that is comprised of four layers: policies, people, processes, and technologies. Policies provide governance. People provide judgment, expertise, and exception handling. Processes provide repeatability. Technologies remove people from the processes and provide automation.

The four layers comprise a business capability stack (BCStack). You can model a corporate bureaucracy as a system of BCStacks. BCStack exchange information and resrouces with other BCStacks (Engineer interacts with Finance, IT interacts with Customer Support, etc.). BCStacks can create, change, and delete other BCStacks. BCStacks can contain sub BCStacks. One person with a laptop is a BCStack.

BCStacks are completely hackable. You can reverse engineer a BCStack's policies and help others reinterpret them in your favor. You can find a person who has the authority to make an exception to a BCStack policy. You can hack the BCStack's people layer by influencing them with your ideas. You can fuzz test a BCStack's process until it breaks and then recommend your fix. You can hack a BCStack's technology layer by demonstrating its vulnerabilities. Most importantly, you can create your own BCStack.

Javier Sanchez: Javier is the security test lead at the Boeing Company. While at the Boeing Company he has designed security test system architectures, performed penetration tests against Boeing's commercial airplanes, authored airplane cyber security test plans, authored secure software development policy and defined a cyber security incident response process that supports the existing commercial fleet of Boeing's e-Enabled airplanes. Prior to working at the Boeing Company, Javier worked at S1 Incorporated, where he developed security event monitoring systems for the banking industry. Javier obtained his Master of Science in Information Assurance from Norwich University in 2008