[throwaway3301]

How can I start learning about how to identify exploits like this? I know some basics about web application security and work as a software engineer on a day-to-day basis but security has always been a passion of mine and I have always wanted to be able to support myself through working on security alone (by collecting rewards through bounty programs, self-employed security consulting, working at a security consulting firm like Matasano, or some combination thereof) but I don't know where to start. I want to learn the ins and outs of web application security instead of just understanding the OWASP top 10 and having a strong interest in certain topics (like HTTPS/SSL vulnerabilities). When I read disclosures from people like Egor I grasp the steps they are taking to craft an exploit like this as they are explained but I don't know how to identify these exploits on my own.

Can anyone recommend some reading material or some first steps I can take to work towards moving to a more security-focus career?

Thanks.

[rst]

Like a lot of other things, practice matters. OWASP has some deliberately insecure webapps which are meant to give people practice spotting and exploiting vulnerabilities (WebGoat, RailsGoat, PyGoat, probably others). There are also "capture the flag" competitions of the sort run every so often by Stripe; Matasano currently has one going as well, focused on embedded systems:

http://www.matasano.com/matasano-square-microcontroller-ctf/

[jensC]

Matasanos CTF is hard. At least I think so, but a good start anyway.