Good afternoon all,

After quite some time of being interested in the area of security (e.g. penetration testing, malware/virus discovery and removal, vulnerability of operating systems etc) I'm finally looking to actually get off my lazy arse and do something about moving into this area of expertise.

Some background on myself. For the last 14 years (yes people can be that old and not be dead) I've been working in IT in the area of Java design and development (with about 8 years of team leading). Primary development platform is Windows with primary deployment platform being Solaris so I have reasonal experience of using Unix (shell scripts are your friend). I also have experience using PERL, VBScript and C/C++ although my knowledge is far from exhaustive in those areas. My networking experience is limited to the usual configuring of work LAN/work PC's so again far from exhaustive.

The advice I'm after (now that i'm finally getting to the point) is whether after so long in software design/dev it is practical for me to switch streams to a security focused (network penetration) career.

My plan was to take a break from software dev (contracting has some benefits) and focus on getting my networking/basic security knowledge up to a decent level via the Network+ and Security+ CompTIA certs. Is it practical to self-teach those without actually working in a networking/security based role already? Obviously VM Labs can help a huge amount there but would that end up being sufficient (with those 2 certs) to eventually get into an initial security role (junior role) and get myself started on that career path and on to further certs (CEH etc)?

Would also be interested to hear of experiences from others that have switched paths like this (especially in the UK but thats asking a bit much).

Any thoughts/advice anyone can give would be gratefully received.

Self motivation is key to a security career.  I think you are in a much better place than someone who just has a passing knowledge of computers who wants to be an elite hacker like in the movies.  A working knowledge of programing will help you go far in your quest for pen testing, malware/virus, and vulnerability exploitation.

It is very important that you understand networking and basic security concepts, like those taught in Net+ and Sec+.  With a small network, a few computers, a couple of bucks in late fees from your local library you can study the subject of networking and security.  You may even be able to get started in the security field, even if it is a less than desirable position like basic log monitoring or account management/active directory management.

After you have a grasp in the fundamentals there are some really good resources for malware research, like Ed Skoudis' book and a lot of SANS courses.  If you were more interested in penetration testing programming knowledge will go a long way if you temper your knowledge with the methodologies taught through the Certfied Ethical Hacker certification.  For vulnerability research, you can get started in learning the open source (for now) framework of Metasploit.

Use your time wisely.  There is no magic bullet for information security work.