Pardon me for a moment while I think out loud. If I got into a web application security job of some sort, how long would it take me to get to a personally acceptable level of competence (for me: a decent enough expert in the field)? Given a day job that lets me focus on that topic and my propensity for self-study, I think it would take me a year to become satisfactorily proficient. This can differ, however, based on how deeply I will need to know various programming languages when it comes to code reviews. My self-study would likely be designed around working and familiarizing myself with various codes by doing some personal projects here and there… Food for my brain.
I think this way because I am open to “awesome” job opportunities lately, and if something in this space opens up, I don’t want to spend a week trying to play introspective catch-up and miss the opp.
I’ve found that usually the knowledge I already have is good enough to boot strap me in a new job/career. Their is so much out their that it is very hard to cover it all. Better to just get started and learn on the job.
Just my 2 cents.
i suggest the training material for mcpd/mcts and scjp. owasp and sans-ssi will be future places to get certified on secure application development. the pci qpsp might be worth a look at. there is also the sans giac web application security (gwas)
You know, it is rare to get in on the start of a new vein in the industry. If OWASP came out with a certification for their work, I wouuld seriously look into picking that up and devoting some time. I might not do it, but it would get some real thought-time from me.