For appsec, certs may help a little, but they aren't as valued as in pen testing and network security. A lot of senior level appsec jobs ask for the CISSP, but other than that, most job descriptions don't ask for certs. Most of the top appsec guys either don't have certs or don't advertise them. GSEC or GWAPT may be helpful, but you should check out the companies you want to work for and see if they ask for them or for any certs at all. Plan to get the CISSP eventually, but I don't know that I'd recommend investing in any others for the cert itself. If you want to take a SANS course to learn, that's fine, just a little pricey. But don't expect the cert to carry that weight that a Cisco cert would in networking.
You need to know at least one language really well and should have experience with several. You need to be familiar with the OWASP top ten and should also check out ESAPI. To get started learning about the various application security issues from a bug-hunters perspective, check out this book list by Dino Dai Zovi (he wrote a couple of them):http://www.amazon.com/A-Bug-Hunters-Reading-List/lm/R21POHD6Y2DOLQ
You should start reading Bugtraq and Full-Disclosure to see the bugs that are posted there. Don't worry about trying to remember which bugs are in which products, you need to understand what the bug is and how the poster found it. Every time you see something you don't understand, go research it. If an exploit is included, make sure you understand how it works.
You have your degree already which is important. Now, you need to start gaining experience in software development or in appsec directly. Where to start depends on what you want to do. If you want to be a security architect at a software company or actually build security solutions, start out as a developer and work on your appsec knowledge along the way. Make sure you learn some crypto as well; you won't be designing your own algorithms/protocols, but you should understand the ones that are out there. I recommend reading Understanding Cryptography by Paar and Pelzl and Cryptography Engineering by Ferguson and Schneier.
If you want to be a bug hunter/researcher, you should try to get into a junior role that is somehow related to appsec. With your degree and a little knowledge, you may be able to get a position analyzing security bug reports at a software company, testing software, or analyzing malware. To be a bug hunter, you'll need to be able to program and should have a reading knowledge of multiple languages but you don't have to be a primo developer. You need to learn to debug software and, if you're working with compiled programs, to reverse engineer as well. Your networking experience won't count for a lot unless there is an actual networking focus to the appsec work you're doing (e.g. doing appsec at Cisco).
If you're interested in buffer overflows in C/C++ code, check out the list of papers I posted a while back: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2897.msg13502/#msg13502
You may want to read a book on pentesting/hacking such as Hacking Exposed or Counter Hack just to get some perspective, but pentesting is a different skillset so don't worry about being proficient.
BS in IT: Security, CISSP, CEH, EnCE. MS in progress.