Every developer expects his app is vulnerability safe. But we all know that such applications do not exist, but we usually deal with not enough tested. This year the Open Web Application Security Project (OWASP) has published TOP-10 most critical vulnerabilities of web applications. I'll tell you what it is and what was changed over the last 4 years from the moment of publication of the previous version. I'm going to explain which types of vulnerabilities are the developer's responsibility and which we can't influence on. I'll show how the popular frameworks help us to develop secure applications and in which situations they can't help.