MITRE CWE the stable weakness taxonomy beneath AI-system security reviews

Why it matters for NETEVO

MITRE CWE is a community-developed catalogue of common software and hardware weakness types, and it supplies the canonical weakness-identifier vocabulary of software and hardware security. Where OWASP lists are domain-specific (LLM, API, agentic), CWE is the general-purpose weakness taxonomy that underlies all of them, and individual CWE identifiers remain stable across decades — a fixed point from which the domain-specific lists hang.

Five identifiers connect the taxonomy to the Implicit Authority Cascade (IAC): CWE-285 Improper Authorization, CWE-639 Authorization Bypass Through User-Controlled Key, CWE-862 Missing Authorization, CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes, and CWE-306 Missing Authentication for Critical Function. The first three are the broken-authorisation family on which the IAC is built; CWE-915 is the persistence pattern that compounds an IAC; CWE-306 is the prerequisite missing-authentication failure.

The CWE List itself is versioned, with new releases roughly annual.