I've been a security consultant for ~13 years or so (predominantly application focused), and I'd say that all other things being equal, a good portion of it is web apps.

That's mostly just an artifact of the fact that so much software over the past ten years is web-based. I'd say maybe 80% of the client work I've done has been web-based (with maybe 10-15% non-web application, and the remainder network stuff).

But it's not the same everywhere. I would posit that one of the differentiators is the size of the company (i.e.: bigger security firms probably do more web-based stuff than more boutique places, mostly due to the clients that big firms service).

At the last place I worked, I ran a 10-person consulting division, and it was maybe 50/50 web app/non web-app testing. We were eventually acquired by a giant telco (two actually), and fast-forward a couple years, and the now 200-person consulting division is mostly doing PCI-related web-app testing (I have since left, although I think I stayed longer than I should have).

The larger the company, the larger your clients (generally), and the less agility of your sales process (ie: sales people tend to have a much easier time selling web application testing, as there is a huge number of clients who need it, and it's easy to put together statements of work around it).

So my advice, if you're interested in the more interesting types of security work, is to look for a small-to-medium-sized place. Actually, regardless of the type of security work you're interested in, I'd recommend a smaller firm. I've worked at enough of both to think that there's a certain size (either of head count or revenue) where you start to do less interesting work.

We definitely do both things. You wouldn't want to work here if you hated web apps. You wouldn't need to know your way around IDA Pro on day 1 (for reasons that will become clear in a few months, you'd be comfortable with the basics of assembly language within a month or so of starting).