Skip to main content
Sandy   Carielli

Sandy Carielli

Principal Analyst Serving Security & Risk Professionals

Sandy is a principal analyst at Forrester advising security and risk professionals on application security, with a particular emphasis on the collaboration among security and risk, application development, operations, and business teams. Her research covers topics such as proactive security design, security testing in the software delivery lifecycle, protection of applications in production environments, and remediation of hardware and software flaws.

Previous Work Experience

Sandy has over 15 years of experience in the security industry, working in software engineering, consulting, product management, and technology strategy roles. Her most recent experience was at Entrust Datacard, where she guided the organization’s technology strategy and researched the impact of emerging technologies on the business. Prior to that, Sandy was director of product management at RSA, where she was responsible for the SecurID and Data Protection portfolio. Sandy spent four years as a consultant at @stake, where she conducted application architecture assessments, penetration tests, and code reviews for enterprise customers and recommended risk mitigation strategies based on her findings. Sandy began her career as a software engineer at BBN Technologies and CyberTrust Solutions. Sandy is a coauthor of the Industrial Internet Consortium’s IoT Security Maturity Model and has spoken at RSA Conference, SOURCE Boston, ISSA International, and many other regional security events.

Education

Sandy has a ScB in mathematics from Brown University and an MBA from the MIT Sloan School of Management.

Sandy Carielli

Principal Analyst Serving Security & Risk Professionals

Sandy is a principal analyst at Forrester advising security and risk professionals on application security, with a particular emphasis on the collaboration among security and risk, application development, operations, and business teams. Her research covers topics such as proactive security design, security testing in the software delivery lifecycle, protection of applications in production environments, and remediation of hardware and software flaws.

Previous Work Experience

Sandy has over 15 years of experience in the security industry, working in software engineering, consulting, product management, and technology strategy roles. Her most recent experience was at Entrust Datacard, where she guided the organization’s technology strategy and researched the impact of emerging technologies on the business. Prior to that, Sandy was director of product management at RSA, where she was responsible for the SecurID and Data Protection portfolio. Sandy spent four years as a consultant at @stake, where she conducted application architecture assessments, penetration tests, and code reviews for enterprise customers and recommended risk mitigation strategies based on her findings. Sandy began her career as a software engineer at BBN Technologies and CyberTrust Solutions. Sandy is a coauthor of the Industrial Internet Consortium’s IoT Security Maturity Model and has spoken at RSA Conference, SOURCE Boston, ISSA International, and many other regional security events.

Education

Sandy has a ScB in mathematics from Brown University and an MBA from the MIT Sloan School of Management.

Sandy Carielli's Research

Most RecentMost Popular
  • For Security & Risk Professionals

    REPORT: The Forrester Wave™: Static Application Security Testing, Q1 2021

    The 12 Providers That Matter Most And How They Stack Up

    January 11, 2021Sandy Carielli

    In our 28-criterion evaluation of static application security testing (SAST) providers, we identified the 12 most significant ones — CAST, Checkmarx, GitHub, GitLab, HCL Software, Micro Focus, Parasoft, Perforce Software, SonarSource, Synopsys, Veracode, and WhiteHat Security — and researched, analyzed, and scored them. This report shows how each provider measures up and helps security and risk professionals select the right one for their needs.

  • For Security & Risk Professionals

    REPORT: Don't Ignore Security In Low-Code Development

    Low-Code Mitigates Some Security Risks — But "Citizen Developers" Bring New Challenges

    December 23, 2020Sandy Carielli, John Bratincevic

    The low-code movement can turn anyone into a developer, but it can't turn anyone into a security-aware developer. Low-code platforms abstract away some security risks, but other security requirements remain. Security pros should read this report to learn how to work with low-code developers and how to manage the security benefits and risks of low-code development.

  • For Security & Risk Professionals

    REPORT: API Insecurity: The Lurking Threat In Your Software

    Design And Build API Security Top To Bottom, End To End Across The Software Lifecycle

    October 22, 2020Sandy Carielli, David Mooter, Randy Heffner

    From simple internal flows between parts of a microservice app to major B2B transactions worth millions, APIs serve a huge range of scenarios, users, and processes. They provide a foundation for innovation and digital transformation at multiple levels — and at each level, they open security holes and create privacy risks. This report provides security pros a broad-based view of API security strategies, tools, and considerations as a working model for collaboration with digital channel executives, application developers, and enterprise, data, and infrastructure architects.

  • For Security & Risk Professionals

    REPORT: The Forrester Tech Tide™: Application Security, Q4 2020

    Twenty Technologies Underpin Application Security

    October 8, 2020Sandy Carielli

    Application security is increasingly critical to firms' ability to win, serve, and retain their customers. To accelerate their performance in application security, companies are evaluating and adopting a range of contributing technologies. This Forrester Tech Tide™ report presents an analysis of the maturity and business value of the 20 technology categories that support application security. Security pros should read this report to shape their firm's investment approach to these technologies.

  • For Security & Risk Professionals

    REPORT: The Forrester Tech Tide™: Zero Trust Threat Prevention, Q3 2020

    Twenty Technologies Underpin Zero Trust Threat Prevention

    September 18, 2020 David Holmes, Sandy Carielli, Andras Cser, Chase Cunningham, Chris Sherman, Brian Kime, Claire O'Malley

    Zero Trust (ZT) threat prevention is critical to firms' ability to win, serve, and retain their customers. To accelerate their performance in Zero Trust threat prevention, companies are evaluating and adopting a range of contributing technologies. This Forrester Tech Tide™ report presents an analysis of the maturity and business value of the 20 technology categories and over 125 different vendors that support ZT threat prevention. Security and risk professionals should read this report to shape their firm's investment approach to these technologies.

View all of Sandy Carielli's Research

Clients Who Work With Sandy Carielli Also Work With:

View all related analysts