Skip to content

Deep Security for Web Apps

More Options

Vulnerability Detection and Protection for Web Applications

Comprehensive. Integrated. Actionable Insight. Deep Security for Web Apps provides a complete suite of security capabilities in one integrated solution, saving you time and hassle.

  • Complete intelligent scanning of applications and platform
  • Integrated detection and protection for immediate response to new threats
  • Unlimited SSL certificates for lower costs and greater trust

Intelligent Web Application Security

Web applications make doing business easier and more cost-effective, but they carry risks. How do you know your applications are safe? Cyberattacks, like the recent Russian Hack and JP Morgan attacks, are growing in number and complexity, and you need security software that can keep up.

Trend Micro has developed the first comprehensive service designed to detect vulnerabilities and protect web applications in a single integrated solution. Deep Security for Web Apps offers:


  • Application Vulnerability Scanning: Detect vulnerabilities like Shellshock and Heartbleed, in web applications, with no false positives
  • Application Logic Testing: Discover application logic flaws with help from Trend Micro’s security experts, including comprehensive proof of exploitation
  • Platform Scanning: Identify key security vulnerabilities at the platform layer, including scanning of the operating system, web server, and application server
  • Integrated Protection: Shield vulnerabilities before they can be exploited with intrusion prevention and WAF rules
  • Cost-Effective SSL Security: Unlimited SSL certificates, including Extended Validation, to secure transactions and instill trust
  • Compliance: Continuously scan applications to help achieve compliance with PCI DSS, HIPAA, etc.

Comprehensive Scanning Without False Positives

AWS pre-authorized scanner

With web apps growing rapidly in number and complexity—plus the frequent changes that a 24/7 online world demands—application vulnerabilities can emerge at any time. Regulations like PCI DSS require regular scanning of applications and platforms, but most organizations only test their applications a couple times a year. These scans typically generate a large number of false positives, and the work required to identify and prioritize the most important risks is far too time consuming.

Trend Micro Deep Security for Web Apps provides automated scanning of platform and application layers, plus hands-on application logic testing by security experts. We also remove false positives, saving you time and effort by allowing you to focus on those vulnerabilities that truly represent a threat. Our solution includes:


Immediate Vulnerability Blocking

You’ve discovered a serious vulnerability. Now what? With each moment that passes without remediation, you risk exploitation and the resulting impact to reputation, brand, and customer trust. But fixing web application code or patching platforms is time consuming.

Deep Security for Web Apps allows you to immediately block vulnerabilities by providing the following mechanisms at both platform and application level:

  Native Rule Export for Leading Web Application Firewalls


Unlimited SSL Certificates for Lower Costs and Greater Trust

The Secure Sockets Layer (SSL) protocol is a fundamental requirement for securing web applications. However, traditional per-certificate pricing makes SSL costly and tricky to implement. Addressing configuration errors and individual certificate expiry dates further complicate matters.


Included with Deep Security for Web Apps, unlimited SSL lets you:

  • Issue unlimited SSL certificates for dramatic savings vs. traditional SSL suppliers. This includes Extended Validation (EV) certificates at no additional cost.
  • Cover more than 99% of browsers and support for capabilities such as Unified Communication Certificates (UCC)
  • Perform SSL health checks to uncover configuration and certificate-expiry risks
  • Feel confident knowing Trend Micro only delivers SSL certificates directly to its customers—no third-party Local Registration Authorities are involved.



For technical support information, please visit Trend Micro eSupport.

Common questions, including where to find more information:

Which browsers, applications, and devices are supported by Trend Micro?
The Trend Micro SSL root certificate is embedded in most major browsers. This means that SSL certificates issued by Trend Micro SSL are trusted automatically and transparently by most browsers, providing maximum end-user security and usability. For details, see the list of supported browsers, applications, and devices.

How do I create a CSR?
Before you send a request for an SSL certificate, you must create a Certificate Signing Request (CSR) on the server that you want to secure. For instructions, see create a CSR.

How do I install my SSL certificate?
After you submit the CSR and receive your SSL and intermediate certificates, you will need to install them on your server. For instructions, see install your SSL certificate.

open all

What’s included with the different types of Trend Micro Web App Security licenses?

Trend Micro Web App Security is subscription-based Software as a Service (Saas) available in three different packages, allowing you to match product capabilities to the security requirements of your various web applications.

  • Trend Micro Web App Security – Standard: Provides intelligent application scanning, including platform vulnerability and web application scanning, malware monitoring, web reputation monitoring, false positive removal, and unlimited SSL certificates for your web application.
  • Trend Micro Web App Security – Advanced: Provides everything included in the Standard version and adds protection capabilities beyond SSL, including automatic platform protection and native WAF integration.
  • Trend Micro Web App Security – Enterprise: Provides everything included in the Advanced version and adds annual application logic testing and proof of exploitation by Trend Micro web application security experts.

How many types of vulnerabilities do you detect?

With more than 54,500 checks across more than 14,000 vulnerabilities, including all OWASP and Web App Security Consortium testing criteria, Trend Micro Web App Security provides application vulnerability testing to highest industry standards. It detects technical flaws, such as cross-site scripting and SQL injection, as well as logical flaws, such as account privilege expansion and improper session handling.

What type of information do you provide about vulnerabilities?

Trend Micro Web App Security provides a detailed description, CVE-ID, compliance status, list of affected components, and suggested solutions for the vulnerabilities found in your web applications.

What types of reports does Trend Micro Web App Security produce?

Web App Security produces detailed, auditable reports that document vulnerabilities, remediation, and policy compliance status. You can create customized reports of your platform scanning, application scanning, and malware detection results. Web App Security also comes with these predefined summary reports:

  • Last Platform Scan Summary
  • New Platform Vulnerabilities Found in Last Scan
  • Platform Vulnerabilities by Age
  • Last Application Scan Summary
  • New Application Vulnerabilities Found in Last Scan
  • Application Vulnerabilities by Age
  • Last Malware Scan Summary
  • New Malware Alerts Found in Last Scan
  • Malware Alerts by Age

You can generate one-time reports or schedule recurring reports that are created and emailed to recipients on a regular basis.

The Web App Security console also has a dashboard that you can customize with up to 17 different widgets that provide a visual overview of the status of your system.

How does the malware detection feature work?

Trend Micro Web App Security’s unique malware detection engine ensures that your websites and customers are safeguarded from fast growing malware attack vectors and newly discovered malware. The malware solution detects dead and inactive malware by monitoring any external JavaScript and hidden iframes placed on your website.

Using a sandboxing technology, the Web App Security malware engine leverages a database of over three million malware signatures and state-of-the-art behavioral analysis using file and registry detection. This allows Web App Security to find both known and zero-day malware before it impacts your customers or is detected by a blacklisting service.

Which Web Application Firewalls are compatible with Trend Micro Web App Security?

Web App Security provides automatic generation of XML configuration files, which you can deploy to a Web Application Firewall (WAF) to provide rapid protection against vulnerabilities found in application scanning results. You can use Web App Security to automatically generate rules for these WAF products:

  • Inperva SecureSphere
  • Alert Logic Security Manager
  • Citrix NetScaler VPX
  • ModSecurity

Which web browsers can I use to access the Trend Micro Web App Security console?

Although it works with many browsers, Web App Security has been designed and tested to work best with Microsoft Internet Explorer 8 and 9, and with Mozilla Firefox 11 or later.

Which IP addresses do I need to whitelist?

Please ensure that your network does not block scanning traffic from the following IP addresses, which belong to the Trend Micro Web App Security data center: (IP range to

How does a reverse proxy server affect scan results?

Application scanning and malware detection are not affected by reverse proxies.

Using a reverse proxy server only affects the results for platform scanning. When Trend Micro Web App Security performs a platform scan, it probes the OS and web server layers of your server to discover vulnerabilities. Platform scanning is effective only if the machine that hosts the web server is directly visible to Trend Micro Web App Security. If you are running your web server behind a reverse proxy, Web App Security will scan and return results for the reverse proxy machine and not the target web server machine.

Will scanning affect the performance of my web app?

Scanning will increase the load on your systems, so you should schedule scans for times when your site is not typically busy.

Why am I getting multiple test email messages?

The Trend Micro Web App Security application scanning feature uses remote scanning to detect vulnerabilities at the web application level. By default, when you add a web application to Web App Security, all pages in the web app will be scanned. This includes pages with HTML forms, which will be filled with test information and submitted. If your web application is written to trigger email messages on form submissions, the emails would get sent to the recipients with the test information included. In some cases, a large number of form submissions will be made during application scanning.

If you want to exclude select HTML form pages from your application scans, please contact Trend Micro Customer Support. Please note that such exclusions should be minimized as much as possible since the excluded pages will not be tested for application vulnerabilities. If you choose to exclude pages, please invest extra effort to ensure all external input on those pages is sanitized and appropriately encoded before such data is stored or displayed.

Where can I get information on how to use the Web App Security console?

You can access the Web App Security online help from the Help menu in the Web App Security console. You can also go to .

How do I set the starting point for scans?

You can use a scan root to specify the starting point for web application scans. If you do not specify a scan root, Deep Security for Web Apps will use the Web Application URL as the starting point and will crawl all sub-directories. The scan root can be be a web path, a web page, or both. For example, if your web application is accessed at, the base Web Application URL is and the scan root should be /csr/index.aspx.

You can also use a restrict path to limit the scanner to a specific directory path. The path should begin with a slash (/), for example: /directory. All sub-directories of that path will be included. If you want to further define which directories will be crawled, you can use the Web Application Scope filters.

To configure these settings:

  1. Log in to the Deep Security for Web Apps console.
  2. Go to Administration > Web Applications.
  3. Select the web application you want to configure.
  4. Go to Application Scanner Settings to configure web application scanning. Go to Malware Detection Settings for malware scanning.
  5. Specify the Scan Root or Restrict Path settings.
  6. Under Web Application Scope, you can add rules about which directories will be crawled.

For details on the Scan Root, Restrict Path, and Web Application Scope settings, please see the Deep Security for Web Apps Help.


Connect with us on