Security Debt Register
Purpose
This register tracks known security gaps, limitations, and postponed improvements within Scheol Security Lab.
The objective is to:
- maintain visibility on unresolved issues
- support prioritisation of security efforts
- ensure transparency on current limitations
- provide traceability between risks, controls and improvement actions
Definition
Security debt represents:
Any known weakness, limitation or incomplete implementation that impacts the security posture but has not yet been fully addressed
This includes:
- architectural limitations
- incomplete control implementation
- missing detection capabilities
- operational constraints
- temporary design decisions
Debt Register
| ID | Title | Description | Related Risk | Priority | Status | Target |
|---|---|---|---|---|---|---|
| SD-001 | Service Co-location (Heaven VPS-01) | Public services and Gitea share the same host, increasing lateral movement risk | R-001 | High | In Progress | Separation of services (ADR-001) |
| SD-002 | No Centralized Logging | Logs are not fully centralized, limiting detection and investigation capabilities | R-002 | Critical | In Progress | SOC deployment (ADR-002) |
| SD-003 | Uncontrolled Admin Access | Administrative access not fully restricted through bastion, partial use of personal workstation | R-003 | Critical | In Progress | Bastion enforcement (ADR-003) |
| SD-004 | Weak Backup Isolation | Backups rely on provider snapshots stored on same infrastructure | R-001 | High | Planned | External immutable backups |
| SD-005 | Lack of WAF Protection (Dolibarr) | Public application exposed without dedicated WAF or advanced filtering | R-001 | High | Planned | WAF deployment / reverse proxy hardening |
| SD-006 | Limited MFA Coverage | MFA not consistently enforced across all sensitive services | R-003 | High | In Progress | MFA generalization |
| SD-007 | Incomplete Detection Coverage | Detection rules and monitoring coverage still limited | R-002 | Medium | Planned | Detection engineering improvements |
| SD-008 | Admin Workstation Not Isolated | Administration performed from non-dedicated environment | R-003 | High | Planned | Dedicated admin workstation |
Status Definitions
- Open → identified but not yet addressed
- In Progress → actively being worked on
- Planned → acknowledged but not started
- Accepted Risk → intentionally not addressed (with justification)
- Resolved → implemented and validated
Prioritisation Logic
Priorities are determined based on:
- associated risk level
- exposure (internet-facing vs internal)
- potential impact
- dependency on other components
Traceability
Each entry should be linked to:
- a risk entry (R-XXX)
- optionally a decision record (ADR-XXX)
- related controls or validation gaps
This ensures alignment with the global logic:
Risk → Control → Implementation → Validation → Improvement
Governance
-
Security Role (Sec)
Maintains and prioritises the register -
Operations Role (Ops)
Implements infrastructure-related improvements -
Development Role (Dev)
Handles application and automation-related improvements
Current Maturity
At the current stage, the security debt register is considered actively used and meaningful.
Established
- identification of major security gaps
- linkage between risks and improvement actions
- initial prioritisation logic
In Progress
- refinement of prioritisation criteria
- better linkage with validation and monitoring outputs
- continuous update based on lab evolution
Planned / Next Phase
- integration with audit and evidence workflows
- tracking of remediation effectiveness
- historical tracking of resolved debt
This register reflects a deliberate approach to transparent and risk-aware security improvement.