No comment on the Cisco side but I am a bit on the same path as you. So I will share my methods with you but first I will tell a bit of my background so you can compare it to yours:
I grew up with an Amiga, played games on MS-DOS + Windows and when internet became popular my attention shifted to information security. I'm now 30 years old and the past 8 years I have hold the following positions: first-line support, system/network administration (Windows, Citrix, OS/400, Cisco) and finally security officer (risk assessment, policy/procedure writing, vuln. assessment/pentesting).
Exploit writing has always amazed me and had something mystical about it. I see it as the top of the security chain, since without these people breaking security is a lot harder. It consists of two phases: find a vulnerability, write a working exploit.
Right now I am trying to plan a good way to reach my goal. These are the steps I will take:
1: Research the various types of bugs that lead to vulnerabilites: (heap/stack buffer overflow, off-by-one, use after free, etc). When you understand these, the next step is to recognize them in a specific technology/implementation.
2 Pick a technology: Operating Systems (32vs64 bit, local vs remote), Smart-phones/Tablets, Embedded Hardware (printers, networked devices). Since they are all very different from eachother you need to focus all your effort on 1 technology in my opinion.
3: Read, read, read: learn the language, uncover how things truly work. Use books, system documentation, research from fellow peers.
4: Finding vulnerabilities: debugging/RE tool usage (gdb is pain in the *ss if you are used to GUI's hehe), fuzzing, dissect patches, read published exploits and see what part it targeted and how it works, look for buffer overflow exploits and see if you can modify them to remote/local code execution, check if a vulnerability in a similar technology exists in ours as well. E.g. browser bug on OS also on smartphone?
5: Exploitation Phase: learn a scripting language to automate things, low level programming (assembly), metasploit (if you want to port your exploits to it), shellcoding + bad char identification + encoding, protection evasion (DEP, ASLR, EMET on windows)
Resources:
1 Wikipedia has a nice overview of the various types of programming vulnerabilities:
http://en.wikipedia.org/wiki/Software_bug2 Read the book: A Bughunters Diary to see how people do vulnerability analysis
3 IO challenges at smashthestack.org They give you vulnerable sourcecode, spot what is wrong and exploit it. Very difficult when you start but very rewarding when you write your first exploit from scratch.
4 Specific information for Windows exploit writing:
https://www.corelan.be/5 Watch on securitytube: Assembly for Linux or Windows, GNU Debugger, Exploit Research, Linux Format String/BoF, consider the Python Scripting Class
That is a bit of info of the top of my head. If you update your post with the specific technology or OS you like to exploit it is easier to give more specific resources.
Tools : Symbolic Exploit Assistant project is looking for collaborators
