Or just giving them a print-out of the OWASP top 10 (and a long wait) would be a good start.
Not a member of The Register? Create a new account here.
Remember me on this computer? Post anonymously?