BlackRock Application Security Engineer in Tel Aviv, Israel

BlackRock is a global leader in investment management, risk management and advisory services for institutional and retail clients. At December 31, 2016, BlackRock’s AUM was $5.1 trillion. BlackRock helps clients around the world meet their goals and overcome challenges with a range of products that include separate accounts, mutual funds, iShares® (exchange-traded funds), and other pooled investment vehicles. BlackRock also offers risk management, advisory and enterprise investment system services to a broad base of institutional investors through BlackRock Solutions®. As of December 31, 2016, the firm had approximately 13,000 employees in more than 30 countries and a major presence in global markets, including North and South America, Europe, Asia, Australia and the Middle East and Africa. For additional information, please visit our careers website:


Team Overview:

The Application Security team acts as a trusted assessor and risk advisor for the application development teams. The team comprises of junior and senior security engineers with expertise in application security and penetration testing. The team is the go-to team if one needs to get an attacker’s perspective on any technology. Your colleagues will be individuals who are passionate about technology and stay current with the knowledge of new attacks, vulnerabilities and security technologies. The Application Security team is a part of the Global Information Security (GIS) Team within the Technology and Operations umbrella. The team interacts with the numerous Software Development teams in issues as they relate to application security.

Key Responsibilities:

The key responsibilities of the role are as follows:

  • Individual contributor responsible for reviewing the security of the source code and security of the libraries used
  • Engage with development teams and/or senior management across various teams to influence efficient and effective fixes for application vulnerabilities
  • Review and own the issues from Static Analysis and Interactive application security testing tools
  • Create a software source code review process that is a part of the development cycles (SDLC, Agile, CI/CD)
  • Educate the developers on the vulnerabilities that are found and translate the vulnerabilities into business risks
  • Validate if the issues are fixed and work with the developers to suggest good ways to fix issues
  • Familiar with tools such as Bugzilla, JIRA, Issue trackers, GitHub, SVN, IDEs such as eclipse/IntelliJ and build tools such as Ant, etc.
  • Contribute to the Software Security Standards with commonly found vulnerabilities
  • Present a quarterly state of source code security to the CISO and a bi-annual educational session of commonly seen vulnerabilities for the development teams
  • Create proof-of-concept to validate the fixes or educate the developers on how certain vulnerabilities can be exploited
  • Create static code analysis tools where automated tools cannot
  • Be able to understand and assess application risks and mitigation methods or compensating controls


Candidates will be evaluated based on their ability to perform the duties listed above while demonstrating the skills and competencies necessary to be highly-effective in the role. These skills and competencies include:

  • Strong manual code review skills in Java, C/C . Python, Perl
  • Network and application Penetration Testing experience
  • Understand essentials of cryptography, operating systems, network security, application security such as understanding of gcc, Java, Perl and Python
  • Proficiency in English for written and verbal communication
  • Familiarity with tools such as Veracode, Fortify, Contrast, CheckMarx, Coverity, FindBugs, etc.
  • Understanding of security of web applications, thick-client applications, RESTful web services, virtualization, docker, kubernetes, etc
  • Ability to multitask and be able to juggle different tasks with ease

Candidates will be evaluated primarily upon their ability to demonstrate the competencies required to be successful in the role, as described above. For reference, the typical work experience and educational background of candidates in this role are as follows:

  • BS/MS in Business, Computer Science, Information Security, or a related field
  • 8 years of work experience as source code reviewer or code analyzer
  • 8 years of security, in an Application Risk Analysis role
  • Relevant certifications are a plus (e.g., OSCP, OSCE, OSEE)

Job Function: Technology

Organization: Technology & Enterprise Services

Title: Application Security Engineer

Primary Location: EMEA-Israel-Tel Aviv

Requisition ID: 171039

Job Posting: Aug 3, 2017, 2:56:48 AM