HDIV was originally born as an open source project when it was developed by Roberto Velasco, Gotzon Illarramendi, and Gorka Vicente to confront security issues detected in production environments. The first stable Version 1.0 was released in 2008, in the form of a security library to be integrated within web applications. HDIV was officially integrated with Spring MVC, the most-used Java solution for web application development in 2011. In 2012, HDIV was integrated with Grails. In 2015, HDIV was included within Spring Framework official documentation as a solution related to web security. Based on global interest and responding to high market demand, the creators founded the HDIV Security (https://hdivsecurity.com/) company and launched the commercial version of HDIV in 2016. HDIV solutions are built into applications during development to deliver the strongest available Runtime Application Self Protection (RASP) against the OWASP Top 10 threats.

HDIV was born to protect applications against parameter-tampering attacks. Its first purpose (looking at the acronym) was to guarantee the integrity (no data modification) of all the data generated by the server (links, hidden fields, combo values, radio buttons, destiny pages, cookies, headers, and more). HDIV extends a web application's behavior by adding security functionalities, as well as maintaining the API and the framework specification. HDIV gradually incorporated capabilities such as CSRF, SQL Injection (SQLi), and XSS protection, thus offering greatly increased security and being more than just an HTTP data integrity validator.

Attacks are becoming lower in cost and more automated. Manual security testing is becoming a costly bottleneck. Spring Security protects the application by easily implementing the most important security aspects, such as authentication and authorization, but does not protect from common security bugs and design flaws in your application code. This is where integrating a Spring application that is already secured using Spring Security can bring in HDIV. We will be going through a very simple example, which will showcase a few of the areas where HDIV shines. Here are some of those advantages, as detailed by their website:

• HDIV detects security bugs in source code before it is exploited, using a runtime dataflow technique to report the file and line number of the vulnerability. Reporting is immediate to developers during the development process either within the web browser or within a centralized web console.

• It protects from business logic flaws with no need to learn applications and offers detection and protection from security bugs without changing the source code.
• HDIV makes integration possible between the pen-testing tool (Burp Suite) and the application, communicating valuable information to the pen-tester. It avoids many hand-coded steps, focusing the attention and effort of pen-testers on the most vulnerable entry points.

Let's start building a simple example that showcases the protection that HDIV does by protecting links and form data in your application.