WebGoat by OWASP is a good platform to learn and practice web application security. For me, I just used it in a meeting with our app development and operation teams to show how a web app could easily be compromised due to lacking of security consideration in design and maintenance phase.
As far as I know, the feedback is good, and they started to show interests and ask questions on web/app security. Instead of boring slides with statistics such as threats trends, defaced pages and phishing sites distribution, WebGoat is a good tool to show your expertise to convince technical guys.
Another tool to work with WebGoat is WebScarab, a http proxy to intercept client request and server response, allowing you to modify data, that means, launch an attack.