I've always been interested in security consulting (for instance, working for a company like Matasano). I'm curious what the market is like for security consultants/penetration testers. Is it profitable? Easy to find jobs (assuming you're decent at what you do)?
It's difficult to not be profitable in a services business. Is the question "Is it lucrative?" Application security is a lucrative specialization when one is doing it towards the high end. There also exist a bunch of folks who specialize in running off-the-shelf software and emailing the PDFed reports that software produces. Consultants who charge peanuts exist, but they're monkeys. Don't be a monkey; don't work for peanuts. (If you need a rough indication of rates I'd say "Similar to Rails development at the medium-to-high end of sophistication; similar to white-hot specialties like e.g. iOS developers with a strong portfolio or marketing engineers at the very high specialized end where one is doing e.g. cryptosystem review, embedded devices, etc." If you need further color on the weekly rates implied by that sentence: $8k is a fairly standard Rails journeyman weekly rate; there exist consultants in those white-hot specialities who charge north of $20k a week.)
Easy to find jobs (assuming you're decent at what you do)?
Contingent on one having the inclination and execution ability required to run a consultancy, which is something which comes much more easily to some technologists than to others, it is straightforward to get gigs as an appsec consultant. You go to people with applications and convince them to buy application security assessments and remediation from you. If this strikes you as being a straightforward problem, you will not experience difficulty finding work. If you're mystified as to how one would go about identifying software companies and finding someone inside them who can purchase application security assessments, it will be harder. (This is not directed at you personally but rather at a portion of the would-be consultants I've met over the years.)
As to career path: I would strongly, strongly suggest that application security consultants should have and maintain strong coding chops. If one does this -- and, incredibly to me, there appears to be a large swathe of the security industry which does not feel like they need to be able to actually write software -- one will never lack for professional opportunities.
It's difficult to not be profitable in a services business. Is the question "Is it lucrative?" Application security is a lucrative specialization when one is doing it towards the high end. There also exist a bunch of folks who specialize in running off-the-shelf software and emailing the PDFed reports that software produces. Consultants who charge peanuts exist, but they're monkeys. Don't be a monkey; don't work for peanuts. (If you need a rough indication of rates I'd say "Similar to Rails development at the medium-to-high end of sophistication; similar to white-hot specialties like e.g. iOS developers with a strong portfolio or marketing engineers at the very high specialized end where one is doing e.g. cryptosystem review, embedded devices, etc." If you need further color on the weekly rates implied by that sentence: $8k is a fairly standard Rails journeyman weekly rate; there exist consultants in those white-hot specialities who charge north of $20k a week.)
Easy to find jobs (assuming you're decent at what you do)?
Contingent on one having the inclination and execution ability required to run a consultancy, which is something which comes much more easily to some technologists than to others, it is straightforward to get gigs as an appsec consultant. You go to people with applications and convince them to buy application security assessments and remediation from you. If this strikes you as being a straightforward problem, you will not experience difficulty finding work. If you're mystified as to how one would go about identifying software companies and finding someone inside them who can purchase application security assessments, it will be harder. (This is not directed at you personally but rather at a portion of the would-be consultants I've met over the years.)
As to career path: I would strongly, strongly suggest that application security consultants should have and maintain strong coding chops. If one does this -- and, incredibly to me, there appears to be a large swathe of the security industry which does not feel like they need to be able to actually write software -- one will never lack for professional opportunities.