How do,

Just started looking into the long path needed to get experience and skills in this field. Wondering which way to go first. My back ground is web develpment and microsoft focused at that, .net and SQL. I've moved away from development and into design and was seconded into our security team to help with firewall analysis and some other bits around PCI certification. This has totally given me a new sense of what I want out of a career in IT and I'm a bit like rabbit in headlights at the moment. I'm mostly after some advice on which way to go to start out. My inclination is to start close to home and focus on Web App Security and wondered what would be the best course of action. I'm not really fussed about certification yet, I want to learn and develop skills that are going to benefit me and my company. Any advice on books, tutorials, toolsets and skills to practice so I don't have to rely on pre-packaged tools? Is there any information on what the basics are?

Any advice would be amazin.

Here are some books to help:

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition - Dafydd Stuttard (Author), Marcus Pinto (Author)
^ big book just came out. Helped me alot with my GWAPT certification.

HACKING EXPOSED WEB APPLICATIONS, 3rd Edition by Joel Scambray, Vincent Liu and Caleb Sima
^ Dont know much about this one. It has good reviews on amazon.

Here's a good list of some vulnerable web app's for learning with.  http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/

There's many good tutorials on Youtube for webgoat/webscarab.