Improvement Backlog
Purpose
This page provides a centralized view of all identified security improvements within the Scheol Security Lab.
The objective is to:
- track security weaknesses and improvement opportunities
- prioritize remediation efforts based on risk
- ensure no identified issue is left unaddressed
- maintain visibility on ongoing and planned actions
This backlog reflects the actual state of the lab, not an ideal or target architecture.
Backlog Model
Each entry represents a concrete finding or improvement need.
Fields
| Field | Description |
|---|---|
| ID | Unique identifier (IMP-XXX) |
| Issue | Short description of the problem |
| Source | Where the issue was identified |
| Related Risk(s) | R-XXX |
| Priority | High / Medium / Low |
| Status | Open / In Progress / Done |
| Owner | Sec / Ops / Dev |
| Notes | Context, decisions, constraints |
Improvement Backlog
High Priority
| ID | Issue | Source | Risk | Status | Owner | Notes |
|---|---|---|---|---|---|---|
| IMP-001 | Reverse proxy may expose unintended internal services due to configuration gaps | Residual Gaps / Architecture | R-001 | Open | Ops | Requires strict routing rules and validation |
| IMP-002 | No centralized logging across Heaven and Hell environments | Detection Gaps | R-001, R-002, R-003 | In Progress | Sec | Wazuh planned but not yet deployed |
| IMP-003 | Administrative access not enforced through bastion | Control Status / Architecture | R-003 | Open | Ops | Direct access still possible |
| IMP-004 | MFA not consistently enforced on sensitive services | Control Status | R-003 | In Progress | Sec | Partial deployment, needs standardization |
Medium Priority
| ID | Issue | Source | Risk | Status | Owner | Notes |
|---|---|---|---|---|---|---|
| IMP-005 | Co-location of multiple services on public VPS increases lateral movement risk | Security Design Decision | R-001, R-002 | Open | Ops | Separation planned in future phases |
| IMP-006 | Backup strategy relies on provider snapshots only | Residual Gaps | R-002 | Open | Ops | No external or immutable backups yet |
| IMP-007 | Limited validation of detection capabilities (no systematic scenarios executed) | Validation & Monitoring | R-001, R-002, R-003 | Open | Sec | Needs initial scenario execution |
Low Priority
| ID | Issue | Source | Risk | Status | Owner | Notes |
|---|---|---|---|---|---|---|
| IMP-008 | Documentation and implementation may diverge over time | Evidence Review | R-001, R-002, R-003 | Open | Sec | Requires periodic review |
| IMP-009 | No formal evidence freshness or review policy | Audit & Evidence | R-002 | Open | Sec | Can be added after initial evidence collection |
Status Definition
| Status | Description |
|---|---|
| Open | Identified but not yet started |
| In Progress | Actively being worked on |
| Done | Implemented and validated |
Prioritization Logic
Priority is determined based on:
- risk exposure (linked R-XXX)
- attack surface (public vs internal)
- impact on critical assets
- dependency on other improvements
High priority items should focus on:
- exposed services
- administrative access
- visibility and detection gaps
Relationship with Other Sections
The backlog is fed by:
- Residual Gaps
- Control Status
- Validation & Monitoring
- Known Detection Gaps
- Architecture & Design Decisions
And impacts:
- Control implementation
- Architecture evolution
- Validation priorities
- Roadmap (Next Phase)
Governance Rule
No identified issue should exist outside this backlog.
If a gap is identified, it must be:
- added to the backlog
- prioritized
- tracked until resolution or explicit acceptance
Current State
At the current stage:
- backlog is manually maintained
- prioritization is qualitative
- coverage focuses on R-001 to R-003
- some improvements are planned but not yet started
Objective
The goal is to maintain a living and actionable backlog that reflects:
- real weaknesses
- real priorities
- real progress
This page is the primary driver of security improvement within the Scheol Security Lab.