Overview

The OWASP SAMM Skills Framework maps each SAMM activity stream to defined responsibilities, helping organizations determine which roles lead and support each stream. Originally donated by Siemens, it complements SAMM by answering two questions the model itself does not: who should do the work, and how they can build the right expertise.

Why use it

SAMM explains what to do. The skills framework reveals who should do it:

• Clarity: no more guessing whether developers or product managers own a security activity. The framework identifies who leads and who supports.
• Training: for each role, it points to relevant training, certifications, and reading material.
• Scalability: whether you run one product team or dozens, it helps you visualize shared responsibilities across the organization.

How to apply it

1. Map responsibilities to roles Match each assignment in the framework with a role or person in your organization. This helps you visualize who needs to pick up an activity.

2. Map streams to roles Walk through the SAMM to Assignments mapping and evaluate the list of stakeholders. Are the people you identified in the previous step the right ones to mature each activity? Adjust where needed and note any differences from the reference.

3. Validate assignments Check your mapping with stakeholders. Everyone involved should know what part they play in maturing the SDLC. If responsibilities for certain practices span multiple teams, validate with stakeholders in those teams too.

4. Assess current skills Determine where each stakeholder stands. Do they need training on threat modeling, a refresher on secure coding, or deeper knowledge in another area? Use the Assignment Profiles to identify relevant skills and training for each role.

5. Fill the gaps Provide training based on the framework’s recommendations: online courses, workshops, coaching sessions, or self-study with the recommended books and certifications.

6. Track progress Use SAMM assessments to measure improvement over time. Show stakeholders and auditors tangible advancement, not just intentions.

Example from practice

At Siemens, applying the skills framework highlighted how stakeholder distribution for certain SAMM activities differed significantly between two similar teams: people assigned to the same role in each team had different responsibilities.

Each team’s customized version of the framework diverged from the generic reference in some places. The customized versions allowed each team to assign the right leads to SAMM practices and gave them a smooth start in their rollout.

Next steps

• Browse the SAMM to Assignments mapping to see which roles lead and support each stream
• Review the Assignment Profiles for skills, training, and certifications per role
• Start with Step 1: Prepare in the Quick Start Guide to identify your stakeholders