Enabling teams with the OWASP SAMM Skills Framework

Introduction

Picture this: your team is tasked with building secure, compliant software, but you’re not sure where to begin and who to involve. In today’s cloud-driven world, even solid security plans can stall if teams don’t know what tasks they own or believe they do not have the right skills to get started. Across teams, many organizations lack a clear view on ownership and shared responsibilities, whether they work with company internal service providers or external public service providers. This leads to confusion and delays the rollout of security practices.

The new OWASP SAMM Skills Framework, generously donated by Siemens, assigns SAMM streams to specific responsibilities , helping organizations determine which roles are involved in maturing SAMM streams, providing guidance on the necessary skills and training for each role. By aligning SAMM related activities, roles, and skill requirements, this framework helps you identify the right stakeholders and the training they need. In addition, it helps organizations visualize shared responsibilities.

Understanding the Complexities of Secure Product Development

Complying with global regulations requires a mature, measurable approach to security. OWASP SAMM provides a roadmap for improving your SDLC, but real-world implementation brings tough questions:

• How do you assign the right tasks to the right people?
• What training is required for them to be successful?
• How do you measure if these efforts are truly paying off?

Without a clear structure, it’s tough to determine who leads which initiatives or who needs upskilling. This can slow down compliance projects and reduce the effectiveness of security investments.

Introducing the OWASP SAMM Skills Framework

The OWASP SAMM Skills Framework builds on OWASP SAMM by mapping each security activity stream to defined responsibilities. SAMM explains “what” to do, using the skills framework reveals “who” should do it and “how” they can gain the right expertise.

What sets it apart?

• Clarity
  No more guessing if developers or product managers should handle a certain security activity. The framework highlights who’s typically responsible.
• Training
  For each role, it points you toward relevant training, certifications, or workshops.
• Scalability
  Whether you’re a small startup or an enterprise with multiple products, it helps you visualize who should be involved in the SDLC implementation.

For example, if a product manager needs to understand secure design principles, the framework suggests training options. You can then schedule that training to elevate their skill set.

Applying the SAMM Skills Framework

How do you put the Skills Framework to work?

1. Map responsibilities to roles
   Match each responsibility listed in the framework with a role or person in your organization. This will help you visualize who needs to pick up an activity as you complete the framework.
2. Map streams to roles
   Go through the framework and evaluate the list of stakeholders. Are the people you mapped in the previous step the right people to mature each activity? Change where needed and highlight any differences from the reference.
3. Validate activity to role assignments
   Check your work with the stakeholders, ensuring everyone involved knows what part they will play in maturing the SDLC. If responsibilities for certain practices are delegated to different teams, validate with stakeholders in those teams too.
4. Assess Current Skills
   Determine where each team stakeholder stands. Do they need a refresher on secure coding, training on threat modeling or other skills that will help them mature the practices assigned to them?
5. Fill the Gaps
   Provide training based on the framework’s recommendations. Host workshops, offer online courses, or arrange coaching sessions.
6. Track Progress
   Use SAMM to measure improvement over time. Show stakeholders and auditors that you’re not just talking about security—you’re demonstrating tangible advancement.

Putting the Framework into Action

As an example from practice at Siemens, using the skills framework highlighted how the stakeholder distribution for certain SAMM activities differed significantly between two similar teams, as the people assigned to the same role in each team had different responsibilities.

In the end, each teams’ customized version of the framework was different and was changed in some places from the generic reference. The customized versions allowed each team to assign the task of maturing SAMM practices to the right leads and gave them a smooth start in their rollout of SAMM.

Conclusion

Using SAMM will help your organization. You’ll comply with regulations more efficiently, strengthen security practices, and provide stakeholders with measurable proof of progress. By leveraging the OWASP SAMM Skills Framework, you gain clarity on who to involve and what training they need. It turns a complex, uncertain start into a structured, confident launch. If you’ve worried about skill gaps or fuzzy responsibilities, now you have a roadmap. Engage the right people, provide the right training, and propel your secure development lifecycle forward.

Some OWASP SAMM core team members played a key role in creating this SAMM Skills Framework for Siemens. Afterward, Siemens generously donated the finalized, generic version of the framework back to the OWASP community, making it publicly available for all SAMM users. We’re grateful to Paul El Khoury , Martin Baur , and Siemens for their contribution, and we believe this will make SAMM even more appealing and accessible for practitioners and users alike.

“I’ve been with Siemens Industry Software for nearly three years, and I’ve seen the power of OWASP SAMM firsthand. Siemens globally adopted SAMM back in 2013, so bringing it to our cloud portfolio was an easy decision. For us, OWASP SAMM is more than a framework—it’s a guide for planning, a tool for alignment, and a driver for growth. Now, as we expand its use across our entire portfolio, we’re proud to give back to the community that made this incredible framework possible!" Paul El Khoury, Chief Product & Solution Security Officer, Siemens Industry Software.

This collaboration between a SAMM practitioner and a SAMM user is an inspiring example of creating value for the user while contributing to the broader SAMM community. Do you have a similar project in mind or in progress? Let us help you share your work with the SAMM community. Reach out to us today to explore how we can support you in giving back to the community and amplifying the impact of your efforts.