Is there a career path out there or its part of our job to find out security holes and such?
And
Yes there is!
Google penetration testers
How do you become one?
Do not start hacking illegally. Do not give your favourite multinational a free pen. test?
That ends with jail.
What John said is true becoming a penetration tester is one way to go, or there are jobs such as being a security architect but that takes a lot of experience.
If you listen to The Network Security Podcast there are a couple of episodes involving prominent people from the industry talking about how they got into security.
Good security people are always in demand. This ranges anywhere from application architects to programmers to network engineers. You should look at the certification Certified Information Security Systems Professional (CISSP) (It's a good place to start). Every major organization employees people who focus on security.
The last bank I worked at employed their own team of penetration hackers who whole job was to check new and existing applications for holes. There is a deep fried bytes podcast (sorry I can't remember which one, but it is one of the early ones I think) that interviews one of the main security engineers for Microsoft.
In my experience to become a good security professional, you need "the gift." Security people are good at finding holes in things and understanding how to plug them. It's really specialized area as far as software development goes, and you have to be kind of a fanatic about designing secure systems. It requires a lot of reading about how systems work (on all levels), and case studies about how systems were penetrated in the past. You have to understand how everything fits together from soup to nuts and be able to see the big picture.
Like programming in general, I suggest you get some understanding and practice.
For web applications, OWASP has WebGoat which is a deliberately insecure for playing about with.
I got into it (non-web security) by accidentally finding quite a number of vulnerabilities and reporting them in a responsible manner.
Pen tester is a start, but with some exceptions there is a world of difference between a pen tester and a security expert. A pen tester has a lot of low level knowledge on how to enumerate and test for things that can go wrong - for example they know about the latest buffer overrun in some version of a web server. This type of knowledge has very limited shelf life and doesn't help much when it comes to designing secure systems. Some of the best security experts I know have no idea how to 'hack' and don't rate pen testing expertise at all.
To design secure systems you need to be able to enumerate what are the right things to do - much more difficult, but also knowledge that is much more enduring. For example, when you know the security principle of 'deny by default', and what that really means, you can design a system that validates input and which is proof against not just the latest buffer overrun, but also SQL injection, and a whole class of vulnerabilities. That includes what can be termed magic - vulnerabilities that haven't been discovered yet.
Your path into security will very much depend on your current skill set. Your best bet is to take those current skills and augment them with knowledge of best security practices in that area - many of which will be portable to other domains. Try to get a job similar to what you are qualified for now, but with some security responsibility (and ideally training) on top. Perhaps go for CISSP certification within that job, as a starting point.
But, if this is really the path you want to get into then you really need to read around a lot and be an expert in disciplines that are so eclectic it's not funny. If you want a book recommendation, I highly recommend Ross Anderson's Security Engineering, which is available for free in electronic form. That will give you a very good overview and also give you a feel for just how wide ranging 'security' is as a topic.
Other good online places to look in order in order to get some insight into the mindset are the Risks Digest, Bruce Schneier's blog, Marcus Ranum's site.