Thank you SmartOne.
Answers to your questions are below. You had asked for advice; I take this request seriously, and thus the length of the reply.
Whatever you choose to do in this field, it all comes down to competency. . What anyone says isn’t as important as what they can do at the keyboard or with a soldering iron.
It all boils down to skills, knowledge, experience and development.
That is why I feel you must really love what you do in this field, because you are going to have to spend most of your time improving at it. If it isn’t fun, then the time sink will drive most running toward something else.
You had stated that you are a software guy; so for this example I am going to say you worked/work as some form of engineer or developer of web based applications.
This would mean you already have many very important skillsets that can be bent to serve you in any InfoSec/NetSec path you choose.
For example, you would likely already have developed intangibles such as an eye for detail and an ability to concentrate focus for extended periods, which are difficult to teach someone.
Not to mention that a competent programmer has an excellent, high level advantage in this industry. Even if you do not find the languages you specialized in immediately useful, you have the capacity to learn others at an expedited rate (and likely have applicable experience in secure development, code review, etc).
It is really going to come down to what you want to specialize in. Once you have some idea about what you want to do, make the skills you already have work for you toward that goal.
Let us further the example by saying you wanted to become a Penetration Tester, and you wanted to specialize in Network Penetration (easily my favorite facet of my career).
Than I would say continue to focus about 80% of your development toward network penetration skills, but also weaponize your pastWeb Development background: dedicate about 10% to 20% of your total development time into studying and gaining a deep working knowledge of the OWASP Top 10 (fortunately, the exploitation methods/vulns listed in the Top 10 do not usually shift violently).
Why? Often, you can find a way into the target network via Web Application Penetration. If you had some manner of Web Development background, your current skillsets maximize any time you spend learning Web Application Penetration,.
Which in turn adds a valuable, more familiar weapon to your Network Penetration skillset (your ultimate goal).
Train hard, train smart and have fun. If you are consistent, you will be amazed where you are a year from now.
How did I start to learn InfoSec?
Like anything else in life, if you know what you want, than develop a plan that develops the skills you need to get there. If you are steadfast and willing to make sacrifices equivalent to your ambitions, you will get there.
When I got really serious about developing my skills, I developed a training regimen of at minimum, 4-8 hours of study/research/practical training a day, at least 6 days a week (I did this with a full time job working between 40-60 hours a week) .
The best way to learn is to do; when I was pushing forward with my development, there were a (slowly) increasing number of (a few) vendor bounty programs (now called a bug bounty).
Google had been doing so for awhile at that point. They were offering bounties and allowing most (it may have been all)of there domains to fall within scope.
(Note: In the present, Yahoo’s bug bounty program has all of their domains within scope, including acquisitions.)
I took full advantage of these real world opportunities; I didn’t even bother to graduate past the enumeration phase for months.
Attacking/enumerating applications like DVWA , Windows/Linux/Unix VMs, or any of the Metasploitables are good practice.
However, I would probably join BugCrowd, find a program/customer where attacks on most (if not all) of their domains are within scope, and begin/conduct your live training that way.
This method has multiple advantages, not the least of which being that you will develop more current, real world skills . This will also make your research/study more efficient as you will invariably gear some portion of your training by experiences you have against live hosts.
SmartOne, it also seems like you are interested in improving your knowledge of networking, so I will tell you how I have grown mine:
The way I learn is to begin with studying a basic overview of something and fill in the gaps of my understanding with more and more complex material.
The Prof Pro’s CompTIA Network+ Study guide is a good example ( http://www.proprofs.com/mwiki/index.php/Comptia_Network%2B_Study_Guide ) of materials that are like those I have applied the principle to in the past .
The link takes you to the index of Prof Pro’s Comptia Network+ study guide. I never prepared/studied for Network+; I just have a weakness for bookmarking clear, concise reference materials.
Much of the knowledge in the study guide could be considered basic, which is a damn fine start. However, let us say you run into into vocab or concepts that need greater clarity (let us call such an example concept A),
And the magic happens: by seeking clarity from other sources, you discover that you need to studty conceptB to better understand conceptA. To better understand conceptB , you need to learn a bit of something about conceptC.
Before you know it, hours have passed and the branches of your networking knowledge have grown in multiple directions.
The programming languages that I know:
Python 2. something to 2.7.8; I haven’t even touched Python 3.0 outside reading documentation to make necessary changes to modules/exploits/tools. I learned Python for those situations wh
I wouldn’t call myself a programmer though; I lack the talent and creativity in programming that allows for innovation and creation (which is magic really).
I know enough C to get an module, exploit or tool to do what I need if there is a minor issue. Fluency in C and ASM are high on my list of dream of skill acquisitions.
Where scripting languages are concerned (though many call Python a scripting language), I am proficient in Bash and Powershell.
I have some knowledge in a number of other scripting/G4L/programming languages, but that knowledge is strictly exploitation related. I maybe able to identify a dangerous string of PHP that could lead to LFI/RFI on a site, but I cannot r program in it.
Do I attend security cons:
Not yet; I keep an extremely low profile; this is actually the first community I have ever joined online. I am also extremely busy and my work flow can go from 1 to 100 in seconds.
I love the spirit and content coming out of DefCon, ShmooCon, BlackHat and CCC every year (and HOPE every 2 years). I usually watch all of the recorded presentations each year.
Someday I would like to go to Defcon, CCC and HOPE in the same year; kind of like paying my respects to the holy land.