Been developing web apps for a while and want to move to web app security? There’s room for you! Check out Jeff Snyder’s recent post about Hot Security Skills: Web Application Security [warning: may come up as a job recruitment site on web filters].
I really like that he dives down into what I think is important in most roles of security: practical experience. In this case, employers want experienced coders/developers. Diving deeper, you can see they would also like candidates to have experience with security scanning tools and web app firewalls. I’d argue those are a bit harder to get ones hands on, as some of them are a bit spendy depending on the vendor. But I bet you can get some hands-on if you just ask the vendors and explain you’re trying to improve your skillset and might actually end up making indirect sales with recommends (hint hint)…
Now, if you look at everything Jeff lists, you’ll probably see why there is a shortage of web app security engineers! Those requirements are pretty damn high, even for experienced people, and they start diving in other areas that may be less familiar (database administration, WAF, advanced authentication, various server administration…). If you have all these skills, just sticking to development will be solid bucks, let alone bothering with security! I consider it rare that a developer really understands or ever tackles these other things, some of which are often in the sysadmin ballpark.
Nonetheless, don’t let such high requirements chase you or someone you know away from web app security. There are no doubt opportunities for less experienced gigs and it’s really only those first 5 years of job experience that are the hardest, whether you’re doing practical work or outright security work. If you know your security shit, you can probably bypass the “I was a Ruby developer for 15 years [huh?]” requirement.