I have been doing programming for more than 10 years using various programming languages on multiple platforms/technologies/protocols.
I am thinking to switch my career and become a security domain expert. How do I get started? I would appreciate any tutorials, books, blogs which would help me to gain security domain knowledge.
EDIT: Removed Hacker word as I don't want to become expert by hacking into someone's computer.
EDIT: I would like to focus on wireless security domain.
Hackers don't learn, they play.
The same answer applies in a different way. You cannot be an expert unless you have fun. Try making a simple web site with basic security. Then attempt to hack it. Trying to hack a website will teach you more about security than any book.
1) Hack into something big.
2) Do a few years in the pokey
3) ??? (probably be someone's girlfriend, also line up job as security expert when you are out)
4) PROFIT
If you want to gain knowledge in the field of computer security, you first have to decide your focus in that field as computer security is a large field with many possibilities. Some of the potential areas include:
and there are probably many others I am not coming up with off the top of my head. Of course, there are common themes that span all of these areas (AKA, the basics), but if you have an idea of what you're most interested in, it will help narrow down your search.
From that point, I would recommend hitting up your local library or book store. Start perusing through books and seeing which ones start at a basic enough level and expand from there. Get online and start searching. There are some excellent sites with a lot of good information about security and provide good jumping off points for more information.
As for the term "hacker" - that's not really something you want to be labeled with these days. Although the computing community has a different term for it, the world at large sees hacking as a criminal activity.
I hope that helps.
I have made this transition.
btw, security expert is too wide in my view. You will need to specialise in some areas.
If this is web application security - start reading sites/blogs of industry experts: (e.g. http://jeremiahgrossman.blogspot.com/)
Read the OWASP top 10 vulnerabilities and make sure you understand how they all work (e.g. how can someone use/exploit CSRF)
Prepare and get an industry certification (e.g. CISSP)
Learn, learn, learn!
For an easy, fun way to get started (and continually learn), listen to Steve Gibson's Security Now! podcast on your commute.
To start thinking from a security perspective, read Bruce Schneier. While his latest book (Schneier on Security) is not overly technical, it puts you in the right mindset.
Jason's answer is very good; specialization is important. Computer Forensics is another large area.
There are many areas of security expertise, so it highly depends on what your want your career path to look like. At the bits-and-bytes end there is penetration testing and "security research" (which is often as much "cataloging of programming bugs" as actual research). At the more strategic end there is "risk management" which often spends much of its time in non-technical considerations like appropriate budgets, education and response.
Blah, blah, blah, but how do you get started, right? Perhaps the best writer on the subject "big picture" security is Bruce Schneier. He's a cryptographer, but he focuses on things like the psychology of security, social attacks, and how to really think about security. Crypto-Gram is required reading for how to think correctly in this space.
In the bit-and-bytes areas, you probably want to figure out what area you're most interested in digging into (Windows, wireless, web, physical, iPhone, the list goes on and on). If I had to pick a single paper, though, I'd start with Smashing The Stack For Fun And Profit. It is still, all these years later, the best introduction to a key class of attack and how technical attacks work in general. If these kinds of attacks are what really interest you, my favorite book on the subject is the Shellcoder's Handbook. Its attacks are old; many of them won't even work anymore as-is. But they're the basis of how many attacks are still done today.
If you want to move up the "value chain" into "business-centric security" (and learn to use phrases like that without quotation marks), you should begin work on a CISSP. People can debate till their blue in the face over whether a CISSP actually means anything. The answer is: it means getting the job when CISSP is a requirement. My feelings on the CISSP? Any real security professional should be able to pass it. As such, it is a good baseline certification for whether you a real security professional, which is what it's meant to be) It teaches the common terminology that has grown up in the security world, and learning the terminology is part of being a professional (just like in any other profession from law to engineering). The CISSP is very broad, and studying for it will give you a much better idea of what areas interest you, even if you don't ever sit for the test. There are tons of books on CISSP; All-in-One is fine. Reading this tome will not make you a security expert, but it'll introduce you to what security professionals know.
My background is in risk assessment. For years I traveled to companies, evaluated their environments, and told them what to fix in order to protect their most sensitive information. Probably the most useful training I had for that was the IAM (the NSA's Infosec Assessment Methodology). It's getting revamped right now into the new ISAM. It focuses on figuring out what pieces of an infrastructure actually matter, and then protecting those. The most important security tool I used: Powerpoint, to make pretty slides that made it clear to the client what they needed to understand and implement. And a decent suit. Understanding this stuff is one thing. You need have very strong technical skills; that's a given. But actually making a difference takes a lot of people skills, presentation skills, project management and follow-through. It's what separates the 'l33t from the professionals.
Though effective answers are given and in much detail, I wish to add that "Greatest risk comes from within" is a canonical paradigm in the work. For one thing, study crypto to start - there is a great deal of prior work documented in the Java source code. My thoughts on the matter at the moment is wishing anyone who would do the work ( infosec ) study accounting controls in parallel with known crypto - all the study you can do revolves around access control and trace records ... if Greatest risk comes from within then how do you defend against that when most web traffic consists of games and, uh, difficulty deriving from operations arena where most users don't want to know how the machine works.
You have to realize that browsers expose consumer grade operating systems to traffic. Consider what traffic that actually is. One example is just in the last few years ( an authority ) ( who is supposed to know better ) ( having legal authority ) instructed our shop to forward all names for authentication on one piece of paper with related information on that paper. The controller for the shop declined without any crypto training even remotely.
The remarks of Wyatt Barnett though attracting attention from unwanted observers holds key fields up for view, and the ipv4 nonsense shows the worth and value of Wyatt's snarkle. There are way too damn many User Izatwits at the keyboard exposed to folks who watch "Criminal Minds" every night on TV. In that context, the Security Theater becomes a Threat Theater more befitting a Troma flick than correctly constructed for the accounting controls that are appropriate for an area where someone can tack %20 on the end of a url - most users cannot grasp that issue, let alone something like a salt or IV vector.
It's too easy to become someones pawn, that is a known and expected area of expertise for anyone who would do the work. It is a given that you are there to defend your employer's valuable property. In doing that you will be frustrated by the authority for the machine you are to defend not knowing many basic precepts and practices. That is difficult when most security ( infosec ) cases that make it to contested review center on statements made by persons with virtually no training in the matter or ( more likely ) using software that they could not write themselves.
For wireless, I would study the engineering already established therein. I looked at it for a router I bought - it is totally sufficient if correctly installed and maintained. To understand how it works, it's just about totally a straightforward study of crypto and basic networking. There will be a wealth of study material on that.
A bit of background before recommendations.
I have always organized real security work into application security and network security. If you want to setup firewalls and run nmap, test wireless installs, parse logs and do more sysadmin-y stuff get into network security. If you enjoy finding bugs get into application security. We are basically overpaid QA and your time will be spent trying to find the security issues in an application. Most work for application security these days is web applications.
As for roles you can work in a company's security team, or as a consultant.
So first I would say you want to be more then a wireless security dude because that is a bit of a narrow focus. If you want to do wireless security work you will have the most luck as a consultant and most of your days will be installing wireless for a company securely or doing a quick assessment of their existing wireless setup.
If you have a programming background I would recommend looking into application security, you get to break stuff in clever ways instead of building it. Some things to google, phrack, owasp and the bible of our industry "the art of software security". If you read that book you might agree with the assessment of security knowledge being a collection of trivia, on each security assessment you look into your trivia and try and figure out ways to break the thing you are looking at.
Your first step should indeed be setting up a webserver and vulnerable website and try and break into it, try xss, try sql injection, scan it with nmap and see what ports are open. look into the webgoat project which is a collection of intentionally flawed software just for this purpose.