I recently started checking out Google Code University’s Jarlsberg Project, which is a really cool idea to provide a sandboxed website with multiple security vulnerabilities. It then gives the user challenges to hack the site in various different ways and provides explanations and walkthroughs of how to fix the vulnerabilities that were just exploited.
I haven’t seen a more effective way of learning about secure coding practices for the web. It’s certainly not as interesting to read about Cross-Site Scripting than it is to try and get an alert(1) window to pop up on another website.
I definitely recommend going through at least the first few exercises if you have any responsibility for a public-facing website or just an interest in web security.