AECOM IT Security Engineer – Penetration Tester in Arlington, Virginia

Requisition/Vacancy No. 146280BR

Position Title IT Security Engineer – Penetration Tester

Job Category Information Technology

Business Line Government

Country United States of America

State/Province/Region USA - Virginia

City Arlington

Why Choose AECOM? AECOM is a premier, fully integrated professional and technical services firm positioned to design, build, finance and operate infrastructure assets around the world for public- and private-sector clients. With nearly 100,000 employees — including architects, engineers, designers, planners, scientists and management and construction services professionals — serving clients in over 150 countries around the world, AECOM is ranked as the #1 engineering design firm by revenue in Engineering News-Record magazine’s annual industry rankings, and has been recognized by Fortune magazine as a World’s Most Admired Company. The firm is a leader in all of the key markets that it serves, including transportation, facilities, environmental, energy, oil and gas, water, high-rise buildings and government. AECOM provides a blend of global reach, local knowledge, innovation and technical excellence in delivering customized and creative solutions that meet the needs of clients’ projects. A Fortune 500 firm, AECOM companies, including URS Corporation and Hunt Construction Group, have annual revenue of approximately $19 billion. More information on AECOM and its services can be found at

About the Business Line


AECOM’s Global Support Services (GSS) organization resides within AECOM’s Government business line and is comprised of three divisions — International Development, Operations and Mission Support, and Global Programs. GSS has the international presence, personnel networks and procurement infrastructure to deliver support for any mission, anywhere. We optimize the reliability, availability and sustainability of equipment, logistics systems and facilities for clients around the world. GSS supports the U.S. Government, non-U.S. Governments and industry clients with worldwide program management, planning, design, operations and maintenance, logistics, aviation services, security, international development, environmental and civil engineering and mission and intelligence support.

Job Summary

AECOM is seeking a Penetration Tester to join our team supporting the TSA in Arlington, VA

As a penetration tester, you will be expected to conduct formal tests on web-based applications, networks, and other types of computer systems. You will also be expected to work on physical security assessments of servers, computer systems, and networks. Along with these tests and assessments, you'll be conducting regular security audits from both a logical/theoretical standpoint and a technical/hands-on standpoint. Work on the security of wireless networks, databases, software development, and/or company secrets will also be part of your duties .

Will provide testing capabilities on all IT Systems to include:

Provide solutions oversight and guidance on all related Government Customer IT projects and implementations

Test scope, plans, and time frames for testing of IT Systems, Operating systems, Network devices and infrastructure; Databases (Oracle, MySQL, MS SQL, SQLite, PostgreSQL, Progressive etc.)

Provide expert analysis of complex information technology Security related problems and provide technical expertise on the following: Remediation for vulnerabilities of operating systems, network devices, infrastructure and Database (Oracle, MySQL, MS SQL, SQLite, PostgreSQL, and Progress etc.)

Generates consolidated test results

Provide testing plans on COTS/GOTS, Mobile Devices, Mobile Applications etc.

Uses a variety of tools (Tenable Nessus, HP WebInspect, IBM AppScan, Nipper, NMAP, AppDetective, Fluke Network Tester) to provide full range of system security testing.

Minimum Requirements

Bachelor’s degree in electrical engineering, computer sciences, information systems, mathematics, or business administration and at least ten years professional experience in the subject matter and a minimum of 5+ years of experience in C&A with a full understanding of the SDLC and FISMA process, security policy and technical standard development, secure infrastructure design reviews, multi-tiered trust zone structures, and complex internetworking through multiple-level network security structures. This individual should be highly regarded by the professional community in which he/she practices, with possible university and/or research institute affiliation.

Requires experience with Federal IT systems and experience in the Certification and Accreditation process with a full understanding of the System Development Life Cycle and FISMA process.

  • Expertise and experience in performing security assessment of network devices (router, switch, firewall configuration), servers, workstations, Web applications and databases

  • Experience using vulnerability tools such as App Detective, Nessus, WebInspect, AppScan, Hailstorm, NetStumbler, NMAP, ISS, Fluke Analyzer, and Nipper

  • Expertise and experience in creating documentation such as Systems Security Plans, Contingency Plans, Test Plans, Findings Matrices and Network Diagrams

  • Knowledge of NIST and FIPS security controls

  • Expertise in conducting vulnerability testing on UNIX and Windows operating platforms

  • Experience and knowledge of Identity Management systems, Application Security, Web Application Security, SOA functions, PKI administration

  • Expertise and experience reviewing and understanding SSPs, network diagrams, SOPs, and SSDs; Virtualization, Remote Access and Secure Mobile Computing technologies

  • Possesses strong oral and written communications, client facing skills, and can articulate both written and verbally technical concepts to a variety of technical and non-technical audiences

  • Experience utilizing security tools including but not limited to; Nessus, AppDetective, NMAP, Burp Suite Prod, Weblnspect, AppScan, SOAP UI, HP WebProxy or other mature testing automation tools

  • Proficient with source code review and development

  • Experience with web, application and database vulnerability testing

  • Experience conducting manual penetration testing capabilities beyond running automated tools

  • Ability to develop custom scripts or tools for exploiting vulnerabilities

  • Ability to perform social engineering tests

  • Must be familiar with OWASP Top Ten and or any other Web Application testing framework or other best practices

  • Must be proficient in web programming languages, in addition to mobile and remote access capabilities

  • Proficient and capable of presenting all findings with 3rd party vendors and/or resources shall be able to proficiently articulate both written and verbally technical concepts to a variety of technical and non-technical audiences

  • Ability to keep current with new/cutting edge technologies, languages, tools and exploits

Approximate travel requirement up to 20%. Overnight and weekend work is required.

Preferred Qualifications

CISSP, CAP, CCNA, CISA, GIAC, CISM, CEH, or similar information security professional certification

What We Offer

AECOM is a place where you can put your innovative thinking and business skills into high gear and work alongside other highly intelligent and motivated people. It's a place where you can apply your skills to some of the world's most challenging, interesting, and meaningful projects worldwide. It's a place that values the diversity of our areas of practice and our people. It's what makes AECOM a great place to work and grow.

AECOM is an equal opportunity employer and Minorities, Females, Veterans, and Disabled persons are encouraged to apply. For further information, please click here at to view the EEO Is The Law poster.