Sandy Carielli

Principal Analyst

Forrester Bio

Author Insights

Blog

Debunking Infosec Purity And Other Security Myths In The Wake Of Recent Attacks

Sandy Carielli May 21, 2021
Earlier this week, an op-ed published on The Hill sent information security (infosec) Twitter into a tizzy by blaming cybersecurity industry best practices for recent high-profile security breaches. For the security team at Forrester, the op-ed furthered a number of security myths that we felt compelled to bust here. Myth #1: The Best Infosec Pros […]
Read More
Blog

Biden Executive Order Bets Big On Zero Trust For The Future Of US Cybersecurity

Jeff Pollard May 13, 2021
Forrester's security team sifts through the details of the new executive order on cybersecurity and looks forward at its long-term impact.
Read More
Blog

It’s Time For E-Commerce And Security Pros To Collaborate To Combat Bot Fraud

Sandy Carielli May 6, 2021
Bots are bigger than the security team. Conversations with security professionals concerned about bots often start with credential stuffing attacks, but the bot landscape is much broader and can directly impact your top line. Even the defenses have business impacts: A bot management solution that slows down traffic on the biggest shopping day of the […]
Read More
Blog

Google V. Oracle: Sanity Prevails At The Supreme Court

David Mooter April 6, 2021
Yesterday, the United States Supreme Court ruled that Google’s usage of Java APIs was legal, and the US IT industry breathed a sigh of relief. At issue was Google writing its own implementation of the Java language, which happened to use the same APIs as Oracle’s Java SE. The Supreme Court’s Decision What exactly did […]
Read More
Blog

National Poetry Month And The Case For Whimsy In Security & Risk

Sandy Carielli April 5, 2021
We all need a bit of whimsy in our lives. This is not just an excuse for a whimsical blog post, though there is that. Whimsy and laughter build bridges. And in the security world, where empathy is a critical resource, whimsy can be a first and recurring step in connecting with the teams outside […]
Read More
Blog

Make Application Security A Top Priority

Sandy Carielli March 23, 2021
When we launched the most recent Forrester Analytics Business Technographics® Security Survey, it was summer of 2020. We’d been in quarantine for about three months, and firms had long since realized that they needed to digitally transform their businesses (and fast) in order to survive the new normal. That meant a lot of application development, as […]
Read More
Blog

Just In Time, The SAST Market Has Embraced The Developer

Sandy Carielli January 11, 2021
The classical challenge with static application security testing (SAST) was bridging the gap between security and development. In SAST’s early days, it was a tool for security pros, who threw the results of prerelease scans over the wall to developers to fix. Developers had to contend with large numbers of unclear findings and false positives, […]
Read More
Blog

It’s Likely You Already Have Low-Code Developers — Get Them Into Your Security Neighborhood

Sandy Carielli January 4, 2021
Security pros should work to integrate security into the developer experience to ensure customer-facing applications are secure. Consider these three points to get started.
Read More
Blog

Security Vendors: It’s Time To Come Clean About Intrusions

Jeff Pollard December 15, 2020
The intrusion into SolarWinds, FireEye, and multiple US government agencies continues to roil the cybersecurity world. In only a few days, a slew of additional details have emerged about the scope of the intrusions, with more surely to come. Security vendors spend all their time talking about security but not in a way that’s useful […]
Read More
Blog

The SolarWinds And US Government Breach Is Not A Marketing Opportunity

Jeff Pollard December 14, 2020
The size and scope of SolarWinds as an IT software provider and the nature of the breach announced on December 13 rocked the IT and security world — rightfully so. We’ve provided immediate, actionable advice for security and risk pros and IT leaders in our report here. While security leaders guide their companies to respond, […]
Read More
Blog

COVID Drives M&A Activity In DevOps And IT Management

Sandy Carielli December 4, 2020
Learn how the pandemic's increased uncertainty and volatility has produced some attractive M&A opportunities in DevOps and IT Management.
Read More
Blog

Bots Kept Jeff From Buying A PS5, And Sandy Had To Hear About It

Sandy Carielli November 18, 2020
It’s not that I’m not a gamer. I enjoy board games and card games: Trivial Pursuit, Settlers of Catan, SET, Hive. I’m up to level 3056 in Two Dots. As a kid, I played Super Mario Land on my brother’s Game Boy and Sonic the Hedgehog on the family Sega Genesis. But I’ve never been […]
Read More
Blog

Black Friday “All Season Long”? Expect The Bots To Follow Suit

Sandy Carielli November 5, 2020
I was scouring some of the Black Friday ads this week, and the trend seems to be less “Black Friday” than “Black November and probably most of December, too.” Best Buy is touting, “Black Friday all season long.” Target offers weekly “Black Friday Now” deals. Walmart? “Black Friday Deals for Days!” None of this is […]
Read More
Blog

The Power And The Peril Of APIs

Sandy Carielli October 22, 2020
Every time we come up with new ways to build and deploy applications, we also come up with new ways to break them. Did SQL make it easier to access and manipulate large amounts of structured data? You bet, and it also led to SQL injection. Ready to join the cloud? Hope you didn’t put […]
Read More
Blog

Twenty Technologies Underpin Application Security

Sandy Carielli October 9, 2020
When I was working at @stake in the early 2000s, most of my client engagements were in application security. I did a number of code reviews that involved people handing me stacks of paper to go through. “Grep” was an important security tool. When I was involved in application penetration tests, we used a combination […]
Read More
Blog

Low-Code Development Requires A Security Rethink

Sandy Carielli July 31, 2020
Low-code platforms speed delivery of applications, but are they secure? The answer is more complicated than I expected when I started this research project with my colleagues, John Bratincevic and John R. Rymer. We’re still gathering information, but we’ve discovered that: Low-code security is not well understood. Even vendors with extensive security investments acknowledged that […]
Read More
Blog

Container Adoption Is On The Rise: How Can Security Keep Up?

Sandy Carielli July 24, 2020
Adopting containers has become increasingly popular — consider that, as of 2019, 33% of global developers indicated that their development organizations currently use containers, and another 25% said they want to do so over the next 12 months. These numbers are not surprising when we consider the value containers offer, such as scalability, agility, and […]
Read More
Blog

FORRward: A Weekly Read For Tech And Marketing Execs

Emily Collins July 13, 2020
How Poor Pandemic Management Destroys A Brand As the rest of the UK started emerging from lockdown, the city of Leicester saw local restrictions reimposed due to a second wave of infections. Leicester’s garment factories, many of which are suppliers to UK-based online fashion retailer boohoo, were identified as the most likely cause of the new outbreak. An investigation into employee conditions found that factory workers were forced to work without any social […]
Read More
Blog

Developer Security Champions Are Needed Now More Than Ever

Sandy Carielli June 12, 2020
In an era of budget cuts and staff reductions, can your organization propose a new security program? Analyst Sandy Carielli provides answers.
Read More
Blog

Some Good News About Application Security

Sandy Carielli May 4, 2020
In my new report, “The State Of Application Security, 2020,” some of the trends are . . . kind of discouraging. Applications remain the most popular attack vector, open source continues to infect everything, and too many industries are not investing in the application security controls they need. But you’re probably tired of reading bad […]
Read More
More posts