Sandy Carielli
Principal Analyst

Author Insights
Blog
National Poetry Month And The Case For Whimsy In Security & Risk
We all need a bit of whimsy in our lives. This is not just an excuse for a whimsical blog post, though there is that. Whimsy and laughter build bridges. And in the security world, where empathy is a critical resource, whimsy can be a first and recurring step in connecting with the teams outside […]
Read More
Blog
Make Application Security A Top Priority
When we launched the most recent Forrester Analytics Business Technographics® Security Survey, it was summer of 2020. We’d been in quarantine for about three months, and firms had long since realized that they needed to digitally transform their businesses (and fast) in order to survive the new normal. That meant a lot of application development, as […]
Read More
Blog
Just In Time, The SAST Market Has Embraced The Developer
The classical challenge with static application security testing (SAST) was bridging the gap between security and development. In SAST’s early days, it was a tool for security pros, who threw the results of prerelease scans over the wall to developers to fix. Developers had to contend with large numbers of unclear findings and false positives, […]
Read More
Blog
It’s Likely You Already Have Low-Code Developers — Get Them Into Your Security Neighborhood
Security pros should work to integrate security into the developer experience to ensure customer-facing applications are secure. Consider these three points to get started.
Read More
Blog
COVID Drives M&A Activity In DevOps And IT Management
Learn how the pandemic's increased uncertainty and volatility has produced some attractive M&A opportunities in DevOps and IT Management.
Read More
Blog
Bots Kept Jeff From Buying A PS5, And Sandy Had To Hear About It
It’s not that I’m not a gamer. I enjoy board games and card games: Trivial Pursuit, Settlers of Catan, SET, Hive. I’m up to level 3056 in Two Dots. As a kid, I played Super Mario Land on my brother’s Game Boy and Sonic the Hedgehog on the family Sega Genesis. But I’ve never been […]
Read More
Blog
Black Friday “All Season Long”? Expect The Bots To Follow Suit
I was scouring some of the Black Friday ads this week, and the trend seems to be less “Black Friday” than “Black November and probably most of December, too.” Best Buy is touting, “Black Friday all season long.” Target offers weekly “Black Friday Now” deals. Walmart? “Black Friday Deals for Days!” None of this is […]
Read More
Blog
The Power And The Peril Of APIs
Every time we come up with new ways to build and deploy applications, we also come up with new ways to break them. Did SQL make it easier to access and manipulate large amounts of structured data? You bet, and it also led to SQL injection. Ready to join the cloud? Hope you didn’t put […]
Read More
Blog
Twenty Technologies Underpin Application Security
When I was working at @stake in the early 2000s, most of my client engagements were in application security. I did a number of code reviews that involved people handing me stacks of paper to go through. “Grep” was an important security tool. When I was involved in application penetration tests, we used a combination […]
Read More
Blog
Low-Code Development Requires A Security Rethink
Low-code platforms speed delivery of applications, but are they secure? The answer is more complicated than I expected when I started this research project with my colleagues, John Bratincevic and John R. Rymer. We’re still gathering information, but we’ve discovered that: Low-code security is not well understood. Even vendors with extensive security investments acknowledged that […]
Read More
Blog
Container Adoption Is On The Rise: How Can Security Keep Up?
Adopting containers has become increasingly popular — consider that, as of 2019, 33% of global developers indicated that their development organizations currently use containers, and another 25% said they want to do so over the next 12 months. These numbers are not surprising when we consider the value containers offer, such as scalability, agility, and […]
Read More
Blog
Developer Security Champions Are Needed Now More Than Ever
In an era of budget cuts and staff reductions, can your organization propose a new security program? Analyst Sandy Carielli provides answers.
Read More
Blog
Some Good News About Application Security
In my new report, “The State Of Application Security, 2020,” some of the trends are . . . kind of discouraging. Applications remain the most popular attack vector, open source continues to infect everything, and too many industries are not investing in the application security controls they need. But you’re probably tired of reading bad […]
Read More
Blog
Security Recommendations 2020: What To Focus On
Our team of security and risk analysts spent the past few months brainstorming and curating tactical and strategic advice designed to improve your security programs for 2020 and beyond . . . and then along came the COVID-19 global pandemic. In the midst of this, firms are undergoing a shuffle of priorities to accommodate a […]
Read More
Blog
The Web Application Firewall Market Is Ripe For Disruption
Let’s face it: Web application firewalls (WAFs) rarely excite the security imagination. WAFs have been ubiquitous for at least 15 years and play an important role in detecting and blocking OWASP Top 10 application level attacks like SQL injection and cross-site scripting. WAFs are table stakes in any environment, but they suffer from the perception […]
Read More
Blog
The Road To RSA Conference 2020: What Am I Looking For?
Attending RSA Conference is like being at a giant class reunion where everyone still has homework to do. Catching up with old friends working at new companies is great (and it usually starts at the airport), but most of us work hard during the week. Depending on where I worked, I have spent previous conferences […]
Read More
Blog
Leverage Bot Management To Enforce Ethical Data Use
There are good bot uses and there are bad ones. If your business is collecting customer data or images, you have a responsibility to guard against the web scraping bad bots. Learn how.
Read More
Blog
As Bad Bots Evolve, Bot Management Solutions Evolve To Fight Them
One of my favorite things about covering the bot management market is that bots are not just a security issue. Sure, it’s common for bots to conduct credential stuffing attacks with a bunch of stolen usernames and passwords, but that just scratches the surface of the bot problem. Attackers also use bots to perform reconnaissance […]
Read More
Blog
The WAF-Bot Management Acquisition Waltz
With F5 Networks buying itself a $1 billion Christmas present in Shape Security, it’s a good time to review the state of the bot management market. The Shape Security sale caps off a year of bot management acquisitions by web application firewall (WAF) vendors. In January, Radware announced that it had acquired ShieldSquare, and in […]
Read More
Blog
Retailers, Don’t Let Grinchy Bots Ruin Your Holiday Season
Bot traffic can eat into profits and sabotage customer experiences. Learn how to play defense.
Read More