Hdiv Detection was an Interactive Application Security Testing (IAST) solution that identified vulnerabilities through runtime dataflow analysis.

The platform monitored application execution to pinpoint security issues with exact file and line number locations, delivering findings to development teams without false positives.

Hdiv Security is no longer actively maintained as of 2024.

What is Hdiv Detection?

Hdiv Detection operated by instrumenting Java and .NET applications at runtime, observing how data flows through the application during normal operation or testing.

Unlike SAST tools that analyze static code or DAST tools that probe applications externally, IAST combines both perspectives by watching code execute with full visibility into internal behavior.

The platform traced user input from entry points through transformations and validations to sensitive operations like database queries or system commands.

When untrusted data reached a dangerous sink without proper sanitization, Hdiv flagged the exact code location responsible.

This runtime context eliminated the false positives common in static analysis while providing deeper coverage than black-box scanning.

Key Features

Runtime Dataflow Analysis

Hdiv instrumented applications to track data propagation in real-time.

The analysis engine understood:

Source identification: HTTP parameters, headers, cookies, file uploads
Transformation tracking: Encoding, parsing, string manipulation
Sanitization recognition: Input validation, encoding functions
Sink monitoring: SQL queries, command execution, file operations

This comprehensive tracking enabled accurate detection of injection vulnerabilities, XSS, path traversal, and other data-dependent security issues.

Zero False Positive Architecture

By observing actual application behavior rather than inferring from static code, Hdiv achieved near-zero false positive rates.

The platform only reported vulnerabilities when:

Untrusted data actually reached a dangerous operation
No effective sanitization occurred along the data path
The vulnerability was exploitable in the runtime context

Developers received actionable findings rather than theoretical warnings requiring extensive triage.

Precise Vulnerability Location

Each finding included exact source code locations:

Vulnerability: SQL Injection
Severity: Critical
File: /src/main/java/com/app/UserRepository.java
Line: 47
Method: findUserByEmail(String email)

Data Flow:
  Source: HTTP Parameter 'email' (UserController.java:23)
  → Transform: toLowerCase() (UserService.java:31)
  → Sink: executeQuery() (UserRepository.java:47)

Remediation: Use parameterized queries instead of string concatenation

DevOps Integration

Hdiv integrated with CI/CD pipelines to provide security feedback during development and testing.

The platform supported:

Jenkins, GitLab CI, and Azure DevOps integration
REST API for custom automation
IDE plugins for real-time feedback
Issue tracker integration (Jira, GitHub Issues)

How Hdiv Worked

Agent Installation

For Java applications, Hdiv attached as a Java agent:

# Add JVM argument
java -javaagent:/path/to/hdiv-agent.jar \
     -Dhdiv.config=/path/to/hdiv.properties \
     -jar application.jar

For .NET applications, the agent installed as an IIS module or attached to the runtime.

Configuration

# hdiv.properties
hdiv.server.url=https://hdiv-server.company.com
hdiv.api.key=your-api-key
hdiv.application.name=my-application
hdiv.environment=development

# Vulnerability detection
hdiv.detection.sqli=true
hdiv.detection.xss=true
hdiv.detection.pathtraversal=true
hdiv.detection.commandinjection=true

# Exclusions
hdiv.exclude.urls=/health,/metrics

Running Analysis

With the agent attached, Hdiv analyzed the application during normal operation:

Development: Developers ran applications locally with the agent attached
Testing: QA executed test suites while Hdiv monitored for vulnerabilities
Staging: Pre-production environments provided production-like coverage
Production: Optional runtime protection mode (Hdiv Protection)

Integration Examples

Jenkins Pipeline

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                sh 'mvn clean package'
            }
        }
        stage('Security Test') {
            steps {
                // Start application with Hdiv agent
                sh '''
                    java -javaagent:hdiv-agent.jar \
                         -Dhdiv.api.key=${HDIV_API_KEY} \
                         -jar target/app.jar &
                    sleep 30
                '''
                // Run tests to exercise application
                sh 'mvn test -Dtest=*IntegrationTest'

                // Check Hdiv results
                sh 'curl -f https://hdiv-server/api/scan/${BUILD_ID}/status'
            }
        }
    }
}

GitLab CI

security-test:
  stage: test
  script:
    - |
      # Start application with Hdiv instrumentation
      java -javaagent:hdiv-agent.jar \
           -Dhdiv.api.key=$HDIV_API_KEY \
           -Dhdiv.application.name=$CI_PROJECT_NAME \
           -jar app.jar &

      # Wait for startup
      sleep 30

      # Run integration tests
      mvn verify -Pintegration-tests

      # Fetch Hdiv results
      curl "https://hdiv-server/api/results?app=$CI_PROJECT_NAME&build=$CI_PIPELINE_ID" \
           -H "Authorization: Bearer $HDIV_API_KEY" \
           -o hdiv-results.json

      # Fail on critical findings
      CRITICAL=$(jq '.findings | map(select(.severity == "CRITICAL")) | length' hdiv-results.json)
      if [ "$CRITICAL" -gt 0 ]; then
        echo "Found $CRITICAL critical vulnerabilities"
        exit 1
      fi
  artifacts:
    reports:
      junit: hdiv-results.xml

Current Status and Alternatives

Hdiv Security ceased active development and maintenance around 2024.

Organizations previously using Hdiv should migrate to actively maintained alternatives:

Alternative	Type	Notes
Contrast Security	IAST	Market leader with similar zero-false-positive approach
Datadog IAST	IAST	Integrated with Datadog APM platform
Checkmarx IAST	IAST	Part of Checkmarx application security suite
Synopsys Seeker	IAST	Enterprise IAST with broad language support

When Hdiv Was Used

Hdiv Detection suited Java and .NET development teams seeking accurate vulnerability detection without false positive noise.

The runtime analysis approach worked particularly well for:

Complex applications with dynamic behavior difficult to analyze statically
Development teams with limited security expertise for triage
Organizations integrating security testing into CI/CD pipelines
Environments where DAST scanning faced authentication challenges

The technology represented a significant advancement over pure static or dynamic analysis, and the core concepts continue in current IAST products from other vendors.

Organizations evaluating IAST solutions today can apply similar selection criteria while choosing from actively maintained platforms.

Note: Hdiv Security is no longer actively maintained. Consider alternatives like Contrast Security or Datadog IAST.