As a developer, I’ve learned that I usually gain a better understanding of best/worst practices through experience. The area of web application security isn’t really somewhere where my organization can afford to let developers learn through trial and error.

So looking for a hands-on approach to knowledge sharing of best practices in web application security, I was thinking that it would be useful to have an open source application that was deliberately built to be insecure in order to help teach junior developers about application security.

Does anyone out there know where to find something like this?