Sandy Carielli

Principal Analyst

Forrester Bio

Author Insights

Blog

National Poetry Month And The Case For Whimsy In Security & Risk

Sandy Carielli April 5, 2021
We all need a bit of whimsy in our lives. This is not just an excuse for a whimsical blog post, though there is that. Whimsy and laughter build bridges. And in the security world, where empathy is a critical resource, whimsy can be a first and recurring step in connecting with the teams outside […]
Read More
Blog

Make Application Security A Top Priority

Sandy Carielli March 23, 2021
When we launched the most recent Forrester Analytics Business Technographics® Security Survey, it was summer of 2020. We’d been in quarantine for about three months, and firms had long since realized that they needed to digitally transform their businesses (and fast) in order to survive the new normal. That meant a lot of application development, as […]
Read More
Blog

Just In Time, The SAST Market Has Embraced The Developer

Sandy Carielli January 11, 2021
The classical challenge with static application security testing (SAST) was bridging the gap between security and development. In SAST’s early days, it was a tool for security pros, who threw the results of prerelease scans over the wall to developers to fix. Developers had to contend with large numbers of unclear findings and false positives, […]
Read More
Blog

It’s Likely You Already Have Low-Code Developers — Get Them Into Your Security Neighborhood

Sandy Carielli January 4, 2021
Security pros should work to integrate security into the developer experience to ensure customer-facing applications are secure. Consider these three points to get started.
Read More
Blog

COVID Drives M&A Activity In DevOps And IT Management

Sandy Carielli December 4, 2020
Learn how the pandemic's increased uncertainty and volatility has produced some attractive M&A opportunities in DevOps and IT Management.
Read More
Blog

Bots Kept Jeff From Buying A PS5, And Sandy Had To Hear About It

Sandy Carielli November 18, 2020
It’s not that I’m not a gamer. I enjoy board games and card games: Trivial Pursuit, Settlers of Catan, SET, Hive. I’m up to level 3056 in Two Dots. As a kid, I played Super Mario Land on my brother’s Game Boy and Sonic the Hedgehog on the family Sega Genesis. But I’ve never been […]
Read More
Blog

Black Friday “All Season Long”? Expect The Bots To Follow Suit

Sandy Carielli November 5, 2020
I was scouring some of the Black Friday ads this week, and the trend seems to be less “Black Friday” than “Black November and probably most of December, too.” Best Buy is touting, “Black Friday all season long.” Target offers weekly “Black Friday Now” deals. Walmart? “Black Friday Deals for Days!” None of this is […]
Read More
Blog

The Power And The Peril Of APIs

Sandy Carielli October 22, 2020
Every time we come up with new ways to build and deploy applications, we also come up with new ways to break them. Did SQL make it easier to access and manipulate large amounts of structured data? You bet, and it also led to SQL injection. Ready to join the cloud? Hope you didn’t put […]
Read More
Blog

Twenty Technologies Underpin Application Security

Sandy Carielli October 9, 2020
When I was working at @stake in the early 2000s, most of my client engagements were in application security. I did a number of code reviews that involved people handing me stacks of paper to go through. “Grep” was an important security tool. When I was involved in application penetration tests, we used a combination […]
Read More
Blog

Low-Code Development Requires A Security Rethink

Sandy Carielli July 31, 2020
Low-code platforms speed delivery of applications, but are they secure? The answer is more complicated than I expected when I started this research project with my colleagues, John Bratincevic and John R. Rymer. We’re still gathering information, but we’ve discovered that: Low-code security is not well understood. Even vendors with extensive security investments acknowledged that […]
Read More
Blog

Container Adoption Is On The Rise: How Can Security Keep Up?

Sandy Carielli July 24, 2020
Adopting containers has become increasingly popular — consider that, as of 2019, 33% of global developers indicated that their development organizations currently use containers, and another 25% said they want to do so over the next 12 months. These numbers are not surprising when we consider the value containers offer, such as scalability, agility, and […]
Read More
Blog

Developer Security Champions Are Needed Now More Than Ever

Sandy Carielli June 12, 2020
In an era of budget cuts and staff reductions, can your organization propose a new security program? Analyst Sandy Carielli provides answers.
Read More
Blog

Some Good News About Application Security

Sandy Carielli May 4, 2020
In my new report, “The State Of Application Security, 2020,” some of the trends are . . . kind of discouraging. Applications remain the most popular attack vector, open source continues to infect everything, and too many industries are not investing in the application security controls they need. But you’re probably tired of reading bad […]
Read More
Blog

Security Recommendations 2020: What To Focus On

Sandy Carielli April 27, 2020
Our team of security and risk analysts spent the past few months brainstorming and curating tactical and strategic advice designed to improve your security programs for 2020 and beyond . . . and then along came the COVID-19 global pandemic. In the midst of this, firms are undergoing a shuffle of priorities to accommodate a […]
Read More
Blog

The Web Application Firewall Market Is Ripe For Disruption

Sandy Carielli March 2, 2020
Let’s face it: Web application firewalls (WAFs) rarely excite the security imagination. WAFs have been ubiquitous for at least 15 years and play an important role in detecting and blocking OWASP Top 10 application level attacks like SQL injection and cross-site scripting. WAFs are table stakes in any environment, but they suffer from the perception […]
Read More
Blog

The Road To RSA Conference 2020: What Am I Looking For?

Sandy Carielli February 17, 2020
Attending RSA Conference is like being at a giant class reunion where everyone still has homework to do. Catching up with old friends working at new companies is great (and it usually starts at the airport), but most of us work hard during the week. Depending on where I worked, I have spent previous conferences […]
Read More
Blog

Leverage Bot Management To Enforce Ethical Data Use

Sandy Carielli February 7, 2020
There are good bot uses and there are bad ones. If your business is collecting customer data or images, you have a responsibility to guard against the web scraping bad bots. Learn how.
Read More
Blog

As Bad Bots Evolve, Bot Management Solutions Evolve To Fight Them

Sandy Carielli January 29, 2020
One of my favorite things about covering the bot management market is that bots are not just a security issue. Sure, it’s common for bots to conduct credential stuffing attacks with a bunch of stolen usernames and passwords, but that just scratches the surface of the bot problem. Attackers also use bots to perform reconnaissance […]
Read More
Blog

The WAF-Bot Management Acquisition Waltz

Sandy Carielli December 31, 2019
With F5 Networks buying itself a $1 billion Christmas present in Shape Security, it’s a good time to review the state of the bot management market. The Shape Security sale caps off a year of bot management acquisitions by web application firewall (WAF) vendors. In January, Radware announced that it had acquired ShieldSquare, and in […]
Read More
Blog

Retailers, Don’t Let Grinchy Bots Ruin Your Holiday Season

Sandy Carielli October 31, 2019
Bot traffic can eat into profits and sabotage customer experiences. Learn how to play defense.
Read More