You have a number of options>
- you can use scanners like nessus, nikto, retina and so forth
- you can search databases like milw0rm, securityfocus or securiteam
- you can fuzz applications and find your own Oday vulnerabilities and then use Metasploit to develop the exploit
You have a number af online training courses that teach you the above. I would recommend you look at Offensive-Security.com and their 101 and b2m courses. They come as online courses (b2m will come in a not to distant future) and are priced very affordable. If you have financial backing you should also look at SANS courses (the 504 and 560 for starters)