Sandy Carielli

Principal Analyst

Forrester Bio

Author Insights

Blog

The Application Security Market Will Grow To $12.9 Billion By 2025

Sandy Carielli 5 hours ago
Earlier this year, when I published The State Of Application Security, 2021, I highlighted how organizations were prioritizing application security and aggressively adopting a range of tools to support their efforts. With firms continuing to build and enhance applications, and with developers embracing new ways of building applications that improve speed to market and enrich […]
Read More
Blog

Our Take On The Microsoft Power Apps Portals Data Leak

John Bratincevic September 1, 2021
In light of the recent Power Apps portals data leak, learn three key points about the security of low-code platforms.
Read More
Blog

European Security Leaders Must Invest In AppSec To Catch Up With Their Peers Across The Globe

Sandy Carielli August 31, 2021
Like the rest of the world, European firms have been forced to pivot to digital experiences in the last year, even, as in the case of Italian luxury goods businesses, when digital went against long-standing cultural norms. As their firms pivot, European security leaders would do well to remember that vulnerable web applications are a […]
Read More
Blog

SCA Vendors Are Leading The Way On Diversity, Equity, And Inclusion

Sandy Carielli August 31, 2021
It’s no secret that the security industry has a DEI problem. Yes, I just linked to six different articles or social media posts supporting that point, and I’ve barely scratched the surface. My colleagues, Jinan Budge, Jess Burn, Allie Mellen, and Alla Valente, authored a blog about gender bias in the security industry last month, […]
Read More
Blog

Software Composition Analysis Is A Core Tool To Protect Your Software Supply Chain

Sandy Carielli August 18, 2021
Over the past year, breaches such as SolarWinds and Kaseya have woken us up to the realities of software supply chain risk. Whether through infiltrating the software delivery pipeline, deliberately uploading malicious components to popular repositories, or taking advantage of existing vulnerabilities in open source components, attackers are leveraging gaps in supply chain controls to […]
Read More
Blog

Debunking Infosec Purity And Other Security Myths In The Wake Of Recent Attacks

Sandy Carielli May 21, 2021
Earlier this week, an op-ed published on The Hill sent information security (infosec) Twitter into a tizzy by blaming cybersecurity industry best practices for recent high-profile security breaches. For the security team at Forrester, the op-ed furthered a number of security myths that we felt compelled to bust here. Myth #1: The Best Infosec Pros […]
Read More
Blog

Biden Executive Order Bets Big On Zero Trust For The Future Of US Cybersecurity

Jeff Pollard May 13, 2021
Forrester's security team sifts through the details of the new executive order on cybersecurity and looks forward at its long-term impact.
Read More
Blog

It’s Time For E-Commerce And Security Pros To Collaborate To Combat Bot Fraud

Sandy Carielli May 6, 2021
Bots are bigger than the security team. Conversations with security professionals concerned about bots often start with credential stuffing attacks, but the bot landscape is much broader and can directly impact your top line. Even the defenses have business impacts: A bot management solution that slows down traffic on the biggest shopping day of the […]
Read More
Blog

Google V. Oracle: Sanity Prevails At The Supreme Court

David Mooter April 6, 2021
Yesterday, the United States Supreme Court ruled that Google’s usage of Java APIs was legal, and the US IT industry breathed a sigh of relief. At issue was Google writing its own implementation of the Java language, which happened to use the same APIs as Oracle’s Java SE. The Supreme Court’s Decision What exactly did […]
Read More
Blog

National Poetry Month And The Case For Whimsy In Security & Risk

Sandy Carielli April 5, 2021
We all need a bit of whimsy in our lives. This is not just an excuse for a whimsical blog post, though there is that. Whimsy and laughter build bridges. And in the security world, where empathy is a critical resource, whimsy can be a first and recurring step in connecting with the teams outside […]
Read More
Blog

Make Application Security A Top Priority

Sandy Carielli March 23, 2021
When we launched the most recent Forrester Analytics Business Technographics® Security Survey, it was summer of 2020. We’d been in quarantine for about three months, and firms had long since realized that they needed to digitally transform their businesses (and fast) in order to survive the new normal. That meant a lot of application development, as […]
Read More
Blog

Just In Time, The SAST Market Has Embraced The Developer

Sandy Carielli January 11, 2021
The classical challenge with static application security testing (SAST) was bridging the gap between security and development. In SAST’s early days, it was a tool for security pros, who threw the results of prerelease scans over the wall to developers to fix. Developers had to contend with large numbers of unclear findings and false positives, […]
Read More
Blog

It’s Likely You Already Have Low-Code Developers — Get Them Into Your Security Neighborhood

Sandy Carielli January 4, 2021
Security pros should work to integrate security into the developer experience to ensure customer-facing applications are secure. Consider these three points to get started.
Read More
Blog

Security Vendors: It’s Time To Come Clean About Intrusions

Jeff Pollard December 15, 2020
The intrusion into SolarWinds, FireEye, and multiple US government agencies continues to roil the cybersecurity world. In only a few days, a slew of additional details have emerged about the scope of the intrusions, with more surely to come. Security vendors spend all their time talking about security but not in a way that’s useful […]
Read More
Blog

The SolarWinds And US Government Breach Is Not A Marketing Opportunity

Jeff Pollard December 14, 2020
The size and scope of SolarWinds as an IT software provider and the nature of the breach announced on December 13 rocked the IT and security world — rightfully so. We’ve provided immediate, actionable advice for security and risk pros and IT leaders in our report here. While security leaders guide their companies to respond, […]
Read More
Blog

COVID Drives M&A Activity In DevOps And IT Management

Sandy Carielli December 4, 2020
Learn how the pandemic's increased uncertainty and volatility has produced some attractive M&A opportunities in DevOps and IT Management.
Read More
Blog

Bots Kept Jeff From Buying A PS5, And Sandy Had To Hear About It

Sandy Carielli November 18, 2020
It’s not that I’m not a gamer. I enjoy board games and card games: Trivial Pursuit, Settlers of Catan, SET, Hive. I’m up to level 3056 in Two Dots. As a kid, I played Super Mario Land on my brother’s Game Boy and Sonic the Hedgehog on the family Sega Genesis. But I’ve never been […]
Read More
Blog

Black Friday “All Season Long”? Expect The Bots To Follow Suit

Sandy Carielli November 5, 2020
I was scouring some of the Black Friday ads this week, and the trend seems to be less “Black Friday” than “Black November and probably most of December, too.” Best Buy is touting, “Black Friday all season long.” Target offers weekly “Black Friday Now” deals. Walmart? “Black Friday Deals for Days!” None of this is […]
Read More
Blog

The Power And The Peril Of APIs

Sandy Carielli October 22, 2020
Every time we come up with new ways to build and deploy applications, we also come up with new ways to break them. Did SQL make it easier to access and manipulate large amounts of structured data? You bet, and it also led to SQL injection. Ready to join the cloud? Hope you didn’t put […]
Read More
Blog

Twenty Technologies Underpin Application Security

Sandy Carielli October 9, 2020
When I was working at @stake in the early 2000s, most of my client engagements were in application security. I did a number of code reviews that involved people handing me stacks of paper to go through. “Grep” was an important security tool. When I was involved in application penetration tests, we used a combination […]
Read More
More posts