During the training we will explore what are the activities across the complete SDLC to build secure code, and recognize unsecure code using two different Java applications (Javula, Webgoat). Using different security tools (used by security engineers) we will exploit the vulnerabilities, create a fix based on the ASVS v4, MASVS (for mobile) and SKF recommendations, and validate their effectiveness using previous exploits. The first day will focus on understanding the security standards (using ASVS and SKF), how to do threat modelling and how to apply the security principles. After that, using security tools, we will start exploiting web application vulnerabilities using the WebGoat Java app. Each attendee will exploit, fix and retest the vulnerabilities. The second day introduces some of the Spring boot security features (like the Java Security Manager) and explores well known issues that affected the Spring Boot. The second part keeps the focus on another batch of backend vulnerabilities and briefly touches how to detect them through source code review processes for mobile and web. Finally an exciting and fun security quiz will take place in the last 30 mins where the winner will be awarded with a defdeveu gadget.