Use the form below to get in touch.

* Missing required fields.

Hdiv Technical FAQ



Almost all applications are vulnerable to attack. According to Gartner, applications and data—not infrastructure—are the focus of modern cyber attacks. And attacks are on the rise. In 2015, companies saw an average of 160 successful cyber attacks per week, more than three times the 2010 average of 50 per week.

When you consider how many applications are used by the typical enterprise, the vulnerabilities increase dramatically. There also are new types of attacks: Web, cloud, API and mobile systems and interfaces can often be exploited by SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) or denial of service attacks that thwart old defenses and result in the loss of sensitive information, unauthorized asset transfer, business discontinuity or dangerous system behaviors. (Gartner 2015, Hype Cycle for Application Security).

Insecure software is undermining financial, healthcare, defense, energy, and other critical infrastructure applications. As digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. Companies can no longer afford to tolerate relatively simple security risks like injection, broken authentication and session management, cross-site scripting, or insecure direct object references (OWASP Top 10, 2013)

In addition, many applications have inherent programming errors, such as insecure interaction between components, risky resource management, and porous defenses. Features and functionality are usually more important to software developers than security, and as a result, well-known security vulnerabilities are often not addressed (SANS Top 25 Most Dangerous Programming Errors).

Breaches are expensive and can lead to serious reputation damage. According to the Heritage Foundation, Nov. 18, 2015, Ponemon surveyed companies in the areas of finance, energy and utilities, and defense and aerospace—three of the most affected sectors—as well as communication, retail, and health care. The annual cost of cybercrime for these companies has more than doubled since 2010. Of the companies surveyed, the minimum cost to a company was $1.9 million while the maximum cost was as much as $65 million in 2015. The bottom line is that all applications are vulnerable, and when applications are vulnerable, so is the overall organization and its users.
Runtime application self-protection (RASP) is a security technology that's built on, or added into, an application runtime environment. It can control application execution, as well as detect and protect applications from real-time attacks. Today’s enterprises should be interested in RASP because it protects application logic and data, rather than simply watching traffic entering and leaving a perimeter-based security solution. For this reason, RASP is also a better solution for protecting applications and defending against threats rather than securing them after the fact. RASP enables ongoing, real-time protection without having to change application code and without false positives and no need of learning processes and content parsing.
The Open Web Application Security Project (OWASP) is a worldwide, nonprofit organization focused on improving the security of software. It functions as an online community that creates freely available articles, methodologies, documentation, tools, and technologies. The OWASP Top Ten is a powerful awareness document that is published and updated regularly. It lists the 10 most critical web application security risks, providing a description with examples and guidance for avoiding each threat. Project members include a variety of security experts from around the world who share their expertise to produce this list. More information can be found here.

Companies should adopt this awareness document within their organization and start the process of ensuring that their applications are protected against these flaws.


Hdiv is a leading provider of open source software for real-time, self-protected applications. Hdiv solutions are built into applications during development to deliver the strongest available runtime application self-protection (RASP) against OWASP Top 10 threats.

Customers and partners can use Hdiv and retain their existing programming environments, app code, teams, and application lifecycle processes while accelerating time to market for new, self-protected apps and revenue-generating services.

Hdiv eliminates the need for teams to acquire security expertise, and it automates self-protection to greatly reduce operations costs.

Since 2008, Hdiv has pioneered open source self-protection software and achieved critical integrations with Spring MVC and Grails. In 2016, a commercial version of Hdiv was launched and Hdiv Security company was founded. Today, Hdiv software integrates with leading commercial software providers, and is used by leading global enterprises in banking, government, retail, technology, and aerospace. Hdiv also aligns with standards set by European and North American cyber security agencies. The company is privately held and headquartered in San Sebastián, Spain.


Hdiv takes a fundamentally different approach to application security. Our philosophy is one of enabling more secure software, not creating more security software. The traditional approach has always been to secure applications after their development. Hdiv protects them from the beginning, during application development to solve the root causes of risks, as well as after the applications are placed in production. Hdiv is an all-in-one solution integrating the best of AST (Application Security Testing), RASP (Runtime application self protection), and WAF (Web application firewall) approaches.
The primary difference between Hdiv and other RASP tools is that Hdiv defends against 90% of the Top 10 OWASP web risks. Other RASP tools are effective with some of the vulnerability patterns and focus only on protection against risks such as SQL Injection and XSS. These tools cannot protect against attacks on business logic, leaving 20 to 40 percent of the OWASP Top 10 risks uncovered.
For comprehensive details on each type of risk, refer to Covered OWASP Top 10 risks.
Hdiv protects applications already in production with the best of AST (Application Security Testing), RASP (Runtime application self protection), and WAF (Web application firewall) approaches. The application should be developed in an Hdiv-supported frameworks, and Hdiv can be applied at any time during the development, implementation, or production phase. Hdiv also complements existing AST and WAF solutions.


Interested organizations can contact Hdiv to arrange a demo here or request a trial version here. To request a one to one meeting demo please fill the form here. To download Hdiv Community version visit our GitHub repository here.
Leading global enterprises in banking and finance, government, retail, technology, and utilities rely on Hdiv for the strongest protection against OWASP Top 10 threats. These include customers in North America, Europe, South America, and the Middle East.
Feel free to contact us with any questions about the application security landscape and how Hdiv can help you achieve your application security goals.

Need contact information
Hdiv Enterprise Edition provides business-critical service level agreements (SLAs) up to 365x24. Support services include access to a private forum staffed by a professional technical support team. An Hdiv expert will look at your application code and identify development issues via Skype or Google Hangouts screen share.

For more information link to contact form here.
Join our Hdiv Partnership Programs. Partnerships with leading technology companies and business services providers give Hdiv customers tremendous flexibility for protecting their applications. Our partners enable you to simplify integration, accelerate implementation, and gain easy access to first-level support services.

Technology Partners: Hdiv forms partnerships with best-of-breed technology providers, giving applications owners access to innovative solutions from companies with proven track records.

Business Partners: Application self-protection represents a significant market opportunity for development companies, resellers, Value-added Resellers, consultants, and app developers. Hdiv enables you to easily enhance customers’ applications with runtime security. Our product enables you to deliver holistic, all-in-one solutions that protect applications from the inside while simplifying implementation across a range of environments.

For more information about becoming an Hdiv Partner, please contact us here.

Conferences and Events

Instructional Videos

Video player

Application Self-Protection

We eliminate or mitigate web security risks by design repelling 90 percent of web risks included in the OWASP Top 10.

Video player

Web Application Attack Examples

This video shows how to perform the most common web attacks based on OWASP Top 10 web risks. For example: SQL Injection, XSS, CSRF and Parameter Tampering.

Video player

Web Application Attack Examples (Secured with Hdiv)

This video shows how Hdiv blocks the most common web attacks based on OWASP Top 10 web risks. For example: SQL Injection, XSS, CSRF and Parameter Tampering.

Video player

Hdiv Enterprise Edition

Hdiv Enterprise is a runtime application self-protection (RASP) version that offers strong, enterprise-class security, exclusive functionality, enterprise-level support services, and high scalability.

Video player

Hdiv Enterprise Edition protecting android and iOS apps

This video shows how Hdiv EE supports for some of the most used RESTful APIs implementation libraries adding OWASP Top 10 risks protection to the server side part of mobile native applications, as well as Client-Side MVC frameworks, that consume RESTful services.

Video player

Developer toolbar

This video shows how Hdiv Developer Toolbar detects vulnerable points within the source code in runtime, reporting the file and line number of the vulnerability.

Video player

HDIV Protection Tested With Acunetix Web Vulnerability Scanner

We have used Acunetix Web Vulnerability Scanner to test our Spring MVC and Hdiv example application to protect from OWASP Top Ten web risks.

As described within the video, Hdiv protects from the attacks performed by Acunetix Web Vulnerability Scanner, avoiding the exploitation of application level web risks such as:

- OWASP A1 – SQL Injection
- OWASP A3 – Cross-Site Scripting (XSS)
- OWASP A8 – Cross-Site Request Forgery (CRSF)

It is important to note that Acunetix Web Vulnerability Scanner does not detect OWASP A4 – Insecure Direct Object Reference (Parameter Tampering). This is normal with all kinds of vulnerability scanners because in many cases, this category of vulnerability requires human intelligence to identify it.

Video player

RASP installation

See how to install the runtime application self-protection (RASP) product to add the strongest real-time protection to your apps.

Video player

IAST installation

See how to install the interactive application security testing (IAST) product to detect security vulnerabilities.

Conferences and Events

Conferences and Events

Video player

Spring I/O 2016 - Securing RESTful services with Spring HATEOAS and Hdiv

by Roberto Velasco (Hdiv) on May 19, 2016

The number of applications based on a client-side MVC architecture which consume RESTful services, is increasing exponentially. For example, mobile native applications (iOS, Android, etc.) or client-side MVC web applications (AngularJS, React, etc.)

Analyzing the traditional OWASP Top 10 web risks, we can consider almost all of them are relevant to these new scenarios. So the question is, how can we protect these service based applications against the traditional OWASP Top 10 web risks?

This talk presents an innovative approach to automate the protection of Spring HATEOAS services against OWASP Top 10 security risks, through the integration of Spring HATEOAS with the Hdiv security framework.

Video player

Securing Grails Applications

by Burt Beckwith (SpringSource) on Dec 13, 2013

Burt Beckwith discusses the security risks web applications may face (XSS, CRSF, SQL injection) and the libraries and plugins (Hdiv) that developers can use to secure their Grails applications.

Burt Beckwith is a core developer on the Grails team and has created over 40 Grails plugins. Burt is a frequent speaker at conferences and user groups and the author of "Programming Grails" and blogs at

Video player

Spring I/O 2012 - Web Security with Spring MVC and Hdiv (Spanish)

by Roberto Velasco (Hdiv) on Feb 17, 2012

Roberto Velasco (Hdiv project founder) talks about how to secure web applications with Spring MVC and Hdiv. The official integration of Hdiv in Spring MVC has been implemented thanks to the collaboration between SpringSource and the Hdiv team.

Spring I/O is the main Spring conference in Europe for application developers, solution architects, web operations and IT teams who develop business applications.

Video player

Spring MVC 3.1 Update

by Rossen Stoyanchev (SpringSource) on Dec 30, 2011

Rossen Stoyanchev covers some of the new features available in Spring MVC 3.1: URI variable, Redirect & Flash attributes, UriComponentsBuilder, Multipart Request Support, and Hdiv Integration.

Rossen is a Spring Framework committer with contributions in the web and messaging modules including Spring Web MVC and WebSocket messaging. Rossen has been instrumental in the design and development of Web-related features in the 3.x and 4.x Spring Framework generations and is currently working on major “Reactive” additions in the web modules for version 5.0.



Video player

Hdiv Enterprise Edition

Is a RASP commercial version with enterprise-class security, exclusive functionality, scalability, and enterprise-level support services. We support Hdiv Enterprise with business-critical service level agreements up to 365x24.



Video player

Hdiv Reference Documentation

Hdiv Reference Documentation. Avoid OWASP Top 10 risks in your application: XSS, CSRF, Parameter Tampering, among others.