How can a working developer transition to security? Just apply to 'security' jobs?
I've been reading a lot and managed to complete a couple of those exploitation wargames and hack some web apps but am in a completely different domain.
Beyond that add in a bit of system administration knowledge e.g. in-depth knowledge of operating systems and networking, and you have everything you need to break many many systems!
Learn to see how things break. Most developers have a vision of how things should work. Good security developers have a vision of how things are brittle.
Risks Digest is a good, low volume, high signal to noise place to just soak in the idea of systems break (both accidentally and by malice).
It really depends on what type of security you want to be involved with. If you're interested in appsec (which I think is infinitely more interesting than network security, but obviously, other's opinions will differ), then web security is a good place to start.
I've spent the bulk of my career doing application security work, so I have less advice to give about other aspects of infosec (which like the article says, really is a large field).
But, (and this is fairly generic advice, received from a disembodied pseudonym on the internet) you can do a lot worse than just picking up a copy of the Web Application Hacker's Handbook, download the free version of Burp suite, set up a VM and install some old versions of popular CMS's (or bulletin boards).
EDIT: Here's an old comment by tptacek that recommends something similar for starting out (so at least two people recommend this): http://news.ycombinator.com/item?id=5266939
I don't find a lot of value in CTF's (again, other people obviously feel differently), and I disagree with the other person who recommended you go to Blackhat.
Security conferences can be great, but I wouldn't go to Blackhat as your first (I actually wouldn't go to Blackhat unless your work was sending you, or you're speaking there). You can't throw a rock without hitting ten security conferences nowadays, so I'd start with ones more local to you (which will have the added benefit of having attendees who are also more likely to be local to you).
Based on your HN profile, it looks like you might live in Austin? If so, there are plenty of companies hiring security folks (actually, almost everywhere there is a crazy unmeetable demand for security professionals).
If you're a developer, you've already got an advantage over 95% of the people working in Infosec. That sounds like an exaggeration, but people seem to have a hard time understanding the disconnect from the relatively small "hacker" community and the much much larger corporate world where "senior pen testers" don't know how to do anything above and beyond kicking off a network scan.
I'd like to think that the appsec world is a little more advanced, but I think that's just me rationalizing. The bulk of people doing corporate appsec work (by which I mean consulting) are just running WebInspect (or something equivalent). That's why if you spend any time in the infosec community, you'll hear countless tales about how difficult it is to hire good people.
If you have any specific questions, or just want any advice, feel free to email me (my email is in my HN profile).
I've been reading a lot and managed to complete a couple of those exploitation wargames and hack some web apps but am in a completely different domain.