Hi Piru,
This is the type of job I'm trying to work my way into. Without hijacking the thread, do you have any pointers for someone interested in your field? I'm working on training and getting certifications now. I hope to go live this fall / winter as a consultant with the goal of quickly turning that into a real office with full time employees servicing a large metro area.
First of all, certification is of little use, unless if you work for specific fields (PCI QSA) and/or for customer that require it (government could require certs). Not only are the certification systems just cash machines for the companies running them, but the actual tests are a joke as well. Of course if you intend to compete for customers who require or prefer certified consultants that's something you will have to do.
As to actual training, well I have little to contribute here, as I myself had no official training in the field whatsoever. In fact, this is more of a norm than rule for anyone I know in the field. Most of them are self-taught hackers, and only very few have even completed their academic degrees (this isn't that unusual these days in general though).
While it probably won't be of much help, perhaps a story how I got involved in the security field in the first place could be an interesting to some.
In spring 2008 I read some bit of news regarding web security breaches. I got interested about the topic and read everything I could find. In less than 3 months I found over 400 vulnerabilities in various web sites, for instance: finnish govt, most finnish banks, most finnish telecom providers, most finnish media, finnish police, ny times, washingon post, FBI, CIA, several US govt websites (NASA, darpa, various military branches), Ebay, w3.org, Paypal, facebook etc. Looking back though, the manner I did it wasn't probably the best approach available. It did result in couple of high profile articles though (mainly about Paypal and CIA).
When I was recruited, several things of my background had been dug up: For example that I had done a lot of reverse engineering, and was writing my own operating system. Also, they knew about my quarrel with Telewell regarding GPL usage (it had required some nice reversing and hacking, which was all noted). Of course they had also noticed my "freelance work", but needless to say I wasn't "ready". What they looked for was someone who could learn the trade, not someone who was born as a super hacker. Once recruited it took several months to get anywhere near skilled enough to consider myself competent.
Of course the field is constantly evolving and changing, and you have to keep up. For instance I follow several security related mailing lists, and attend security conferences (for example t2, ph-neutral, blackhat).
There are ton of books that are relevant to the field, but perhaps the most famous and most commonly referred one is The Web Application Hacker's Handbook:
http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/0470170778I'd say it's a good read for anyone, even though you might not be interested about the field. I'd very much like every web developer to read it at least. ;-)
There's much more to the field than just web app security though. A good resource is for instance Center for Internet Security:
http://www.cisecurity.org/.
https://www.owasp.org/ has some good stuff as well, but the material is of varying quality. Much of it it really sh*tty to be honest.
Anyway, good luck and welcome. I hope maybe some of my message was at least in some way useful.
