A couple of weeks ago at the amazing-beyond-belief PyCon 2013, David Stanek and I presented a half-day tutorial. We used a deliberately-vulnerable web application to walk our students through the OWASP Top 10, giving them hands-on experience exploiting these problems and offering advice on how to mitigate them.
While we had concerns about the amount of material and the time available, not to mention the size of the class--we had about 80 people show up!--it seemed to go well, and we got a lot of positive feedback both during the tutorial itself and throughout the rest of the conference. One attendee even told us that thanks to our class, he'd fixed a security problem over lunch immediately after the tutorial! It was immensely satisfying to hear that we'd been able to catalyze some actual improvement in the world.
If the official feedback is good enough, we may look to run this again in the future, whether at smaller venues like PyOhio or next spring at PyCon 2014.
You can clone down the tutorial app if you'd like to follow along with the slides.