Bug bounties are a great way to get your feet wet. I've seen many devs (especially web devs) have a lot of success hacking on websites that are built with frameworks they are familiar with. I would recommend checking out Bugcrowd or Hackerone to get started.

Besides that, there are a ton of great online courses such as PWK/OSCP, and labs (HacktheBox).

There is the serious end of the security business, the service end, and the fake end. Plus of course all the black-hat ends.

If you want to be in the serious end, which doesn't necessarily pay more than any other software job but can be really interesting work, I would suggest learning about anti-virus and similar attacks (there are books and tutorials) and generally making your server software game as strong as possible. Then get a job with a security company at whatever level and bust your ass looking for challenges. You can rise very quickly if you can move the dial for the customers, and "smart and gets things done" plus "gives a shit about security" is a rarer combination than you'd think.

The service part, e.g. your pen-test company, is going to be much more mercenary. Great experience if you can get it, and probably a good space to start your own company in, but of very limited value in the big world. Security companies will have huge annual contracts, pen-testers and the like will be called in occasionally to check off a box on a security audit. Either one can work for you, but it's best to know what you're getting into.

The fake end of course is companies promising something they won't actually deliver, or will deliver with gross violations of ethics and/or the law. Obviously avoid these as best you can -- for the more serious companies, having your name associated with "SEO" or other spammers can permanently blacklist you from employment at least in the US, obviously the dodgier the play the greater risk of blacklisting. Hiring managers worth their salt have a nose for this, since Ethics is way more important than Skillz for any serious security job.

In case the black-hat part isn't obvious: in many places word gets around if a talented hacker is interested in security. Mafia is mafia even for us nerds. If something sounds suspicious, I strongly suggest you don't take the meeting. (This may be less of an issue in the US.)

Best of luck to you! The world needs more smart people working for a safer Internet!

I dunno about some of this; working for a security company in a non-security software role gets you a lot of adjacent experience (take extra courses mandated by the company, go to extra talks, work with super smart security people), but I don't consider myself anything like an actual security expert after doing this for nearly 8 years.

There's a lot of not-security work to be done in the security industry, and it's not all work that gives you security-specific experience. I like to think I'm good at what I do, but it's not security, even though it's to help security people.

I've been working in Security Per Se for more than 10 years and I would also be reluctant to call myself a "security expert" -- as would most of the people I respect in the business. (Free pass for CVs in motion of course.)

This is because many of us have very specific domain knowledge which probably doesn't map to a layperson's expectation of "security expert" -- and while I don't see much "Impostor Syndrome" I would assert that most branches of Security will humble you if you really know your shit, so a great indicator of someone who doesn't is their readiness to claim broad expertise.

Yes, most of the work in "security" is just "software engineering" -- but my own experience has been that for people who care about the security angle, plenty of domain knowledge accrues over time. You might not even realize how much you have, but others do: for me there is a huge difference between working with an ops person who has internalized the adversarial worldview of Security and one who is "just a sysadmin."

Take the OSCP course, that would get you some good practical exposure and a well-recognized cert. Having a software engineering background you'd be well positioned to do code auditing too, if that was your bag. If you really want to make bank, get into smart contract auditing. Going to events like DefCon and Blackhat is great for networking too. Check out capturetheether.com and hackthebox.eu for some practice!

Smart contract auditing = block chain? Are those jobs still around? I thought that had a 1 year shelf life

Cyber security is so wild west right now. change your linkedin. Do some public speaking. Read some blogs and you'll get your foot in the door. Where you go from there is about how well you sell your self.

Do CCNA and follow to CCNA security certification.This way you can easily get job. believe or not, certification is important. non-tech don't trust you without it.

If you're in bug hunting, do it in leisure time. it takes lot of time, patience and can't pay bills always. OWASP u can do as additional not as primary.

Easiest way i think to enter in security with guarantee to pay bills is via networking domain.

Certs are not important. No real security person is going to care about a cisco cert either way.