I am a tech lead developing web (Java/JEE) and mobile applications (Android) for the past 12 years (mobile in last year though). I am somehow interested in IT security.
Is it worth taking CISSP or CISA certification and enter into Security stream? Is it a common practice to move from programming/solution architecture to Security Auditing?
I feel that anyone interested in pursuing a security centric career should become CISSP early in the process. If you are interested in remaining focused on development and wish to demonstrate security expertise, there are several other certifications that would be more appropriate. I strongly recommend the SANS classes and corresponding GIAC certifications as they are probably the most technically insightful and demanding. A specialist with one or more of the GIAC certifications is typically a very knowledgeable professional.
I would say that 12 years of experience and your use of the term "solutions architecture" suggests you are a senior practitioner. I would therefore urge you to consider becoming a Certified Secure Software Lifecycle Professional (CSSLP). This is a rather rare certification and can be a strong attractant in a high-end job search. CSSLPs with a few other, related certifications are rare and can expect excellent compensation in the current job market where senior security personnel are in very high demand.
Not meaning to brag, but I speak from experience as I have 10+ years tenure as CISSP, hold the CSSLP, CISA and have a variety of other certs. I am approached about a job opening more than once a week, though I am not looking.
Going from programming into security is more uncommon than going from networking into security, in my experience. This seems especially true for CISSP holders. Application security is increasingly important and there is a huge need for people with development experience in application security. Developers can communicate more effectively with developers and understand how to test applications instead of networks. Being able to read code and stack-traces in logs will instantly put you ahead in the game.
