A few weeks ago I finished a big update to Secure Coding in Java/JEE (DEV541) which has a new day dedicated to hacking, reviewing, and fixing the code of a real-world open source web application written in Java. It's an introduction to security in the SDLC and is similar to the "Capture and Defend the Flag" that Jason and Johannes did for DEV522 but focuses on fixing a single Java web app.
In the course you exploit common vulnerabilities like XSS, CSRF, and blind SQL Injection against a live application to see, first hand, what a real attacker might do to your system. You also perform a code review to identify the vulnerabilities and then apply a fix using various secure coding techniques.
The new course is being run for the first time in Vegas on September 20-23 and you can save $400 by signing up before August 11. Let me know if you're in Vegas and want to grab a beer!