I'm the lead engineer of application security at my company. One of the best things someone in your shoes can do is to just start doing security. What I mean by this is:
1.) Get a few security books and start reading them - given your background, "Web Application Hacker's Handbook 2nd Edition" would be a recommendation 2.) Once you get some understanding of the security content, start taking either your company's code, open source code, or even your own code and examining it, looking for security vulnerabilities. This also includes black-box testing such as inserting some <script>alert(1);</script> tags in boxes around your websites, inserting sql injection payloads, directory traversal payloads, etc... You could also sign up to be a Bug Bounty researcher and get paid to do this during your time off once you've determined you're into it.
3.) Get on some good security-related forums, Discords, Slacks, go to Security Meetups, and finally, watch some good security YouTube videos such as LiveOverflow's channel Gynvael Coldwind's channel, and others.
4) Do challenges like those on pentesterlab.com AND pwnable.kr (the former is pretty much all web-based stuff, the later includes more binary/native stuff).
If you're thorough with the above, you'll begin to be a real security engineer at heart. From this point, you can pivot into the role in one of several ways:
a) If your current employer has a security team, get to know them, talk to them about vulnerabilities you've found in the software, things you do to write more secure code, etc... Basically show an interest and let it be known that you're doing your homework
b) If they don't have a security team, be the "security guy" of the company and keep the rest of the team up-to-date on the latest threats, vulns you've found in the code etc... If this seems difficult because people act like they don't want to hear it, then you may need to do some research and link the engineering management with real-world vulns which have costed a company big time and how that happened.
c) Get really good at security outside of work, blog about it, you could also write a software security application/tool that would be useful for the industry right now, find some vulnerabilities in major software, and then start applying to pen tester, security engineering, security researcher, or security analyst jobs.
In my opinion, someone with a developer background has it much easier getting into security in application security roles because we need people who understand code and also understand how developers work, why they do what they do, how their workflows work, and even someone who can understand the problems they face. It really sucks when a security person is totally isolated from development work because they tend to misunderstand developers completely, which can lead to trouble since the job involves working with developers.
As someone who is involved in hiring security engineers, I can tell you right now that if I see someone with a strong dev background, who is a pleasant person, and who demonstrates that they love to learn, are passionate about security, and shows me some of their interesting research/other work, I'm likely going to want to hire that person. I'd rather hire someone who may even be less "smart" or security savvy in favor of someone who plays well with the development teams, understands the software development process, and also who is clearly passionate about security and demonstrates that.