MITRE CWE

Why it matters for NETEVO

MITRE CWE supplies the canonical weakness-identifier vocabulary the Agent Infrastructure Whitepaper failure-mode table cites. Where OWASP lists are domain-specific (LLM, API, agentic), CWE is the general-purpose weakness taxonomy that underlies all of them; specific CWE identifiers stable across decades give NETEVO citation discipline a fixed-point anchor that the domain-specific lists hang from.

Five CWE identifiers are cited in the Agent Infrastructure Whitepaper, all scoped through this single catalogue entry: CWE-285 Improper Authorization, CWE-639 Authorization Bypass Through User-Controlled Key, CWE-862 Missing Authorization, CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes, and CWE-306 Missing Authentication for Critical Function. The first three are the broken-authorisation CWE family the IAC is built on; CWE-915 is the persistence pattern that compounds IAC; CWE-306 is the prerequisite missing-authentication failure.

The single-entry convention mirrors MITRE ATLAS. Individual CWE identifiers are cited by URL, not as separate entries. NETEVO tracks the CWE List Version header for new releases (roughly annual).