The best way to learn to play defense is to play offense, and the OWASP Broken Web Applications Project makes it easy for application developers, novice penetration testers, and security-curious management to flex their offensive muscle in the safety of a virtual machine on their own laptop.
Web applications are the most visible front door to any enterprise and are often designed and built without strong security in mind.