I regularly use the four open source security testing tools covered in this article. (I mostly use WebGoat for examples.)
For the absolute beginners out there, a great resource is Hacker Highschool. As the name implies, this material was designed for high school students. If you think you need to start at square one, start here. If you find the material useful, consider contributing to the worthy cause.
For some less basic but still introductory material, check out Julian Harty's work on Commercetest.com. Julian provides open content for nonfunctional testing (including security testing). As mentioned earlier, I like the Whittaker and Thompson book How to Break Software Security; I also recommend the presentation "Top Web App Attack Methods and How to Combat Them," by Dennis Hurst of SPI Dynamics.
Finally, once you feel ready to jump in, try some work with OWASP. They have tools, advanced material, and plenty of opportunities for you to get involved. In addition, check out Insecure.org, a great source for news, tools, and instructions if you're serious about security testing.