New studies show web sites fending off 95% more exploits than they could five years ago, and safer 30% than just last year.   But are mobile devices throwing a wrench in the works?  Opening the backend for APIs, leveraging existing web logic to feed mobile, and, lastly, the brute scrapers.  How simple strategies are often the most secure.

Amid the bluster of all the web can do, there is the most important thing:  Web forces choice.  I’m not talking about “users” (that term oddly favored in illegal drugs and online services).  Users have cheap and easy options from every corner of the web.  I’m talking about the companies that create those web experiences.  For companies, choices are expensive and difficult: like which data to surface, which business process to offer, and how to deliver the two.  And, perhaps most importantly, how to secure it all.

Most of our corporate web sites have been built and secured through a decade of such decisions.  And we have the infrastructure to prove it.  We have, by now, layers of security to protect the web site against threats of the past (remember SQL injection), present, and -- one can hope at least -- future.  Web security is getting better.  Wonky studies find vulnerabilities in business web sites are now down to their lowest level ever, dropping 30 percent in the past year.  And down 95% since 2007.  The desktop web is, at long last, the most secure part of the public-facing internet.

Enter, of late, mobile devices.  (And tablets, and a whole bag of cool new gadgets.  And those awful Google glasses).  For each, apps all around.

Business mobile apps and sites are not very useful without business data.  The problem, of course, is that the company data is stored in a swath of database server tables spread across the enterprise: across departments and locations; some housed in Oracle, some in mySQL, some in who-knows-what.  There are APIs -- and lots of other services -- used internally to move data around. And some application servers (et. al) to do useful things to the data.  On the web site, it’s all surfaced, and you can lock it down with security technologies designed to protect down a web presence.  But behind the HTML?  Thank God for intranet firewalls.

Oh, how I love all the talk about the separateness of business logic and data.  In some parallel (fantasy) business world the two are not intertwined by years of short deadlines, layers of “temporary” architectures, departed dot-net programmers.  We all say we want to keep model, view, and controller separate on the back end.  But that hasn’t been true anywhere I’ve worked.  Web workflows are logic and data mixed together, and getting at all that stuff often requires mining deep down in the intermixed corporate data infrastructure.  For me that would mean a lot of favors from IT.

Now, these workflows need to be mobile.  I see three choices, which I will number.  The first is to get IT to open up the corporate backend and create APIs to duplicate the workflow.  The second is to leverage the web workflow you have and get it to present and work nicely on a mobile device.  The third, a longtime agency favorite, is to scrape away at your site and use the scrapings to make new mobile forms.

Opening up APIs in your corporate backend -- as IT might lecture you -- can create security vulnerabilities faster than you can say Chinese government-sponsored hacking.  REST and the rest depend on this or that programmer to gin up some ad-hoc security in most cases, if they have time.  Managing parallel business logic is also not fun.

Screen scraping doesn’t sound like a long-term solution because it’s not.  Amusing hacks like the cloud based service “Scrapy” will do just that. (Really. Its called Scrapy.)  And so will many of those agencies that promise to “mobilize” a traditional web site.  These ploys work until you change the web site.  Then the paint scraper lands in the wrong place and there’s all sorts of mobile mayhem.  It’s a nice way to  get (steal) some web content and put it on a mobile device.  Scrapers don’t do workflow.

The leverage option is the most interesting.  Several companies offer products that import workflow and assets from existing web sites.  Moovweb is the most mature.  It performs the cloud-based process a bit over one billion times a month.  Mobile sites delivered this way can look very nice, and you can do wonderful things like take objects from clunky old web sites and package them up into whizzy HTML5 mobile experiences.

But the real advantage to leveraging-the-existing-web is security. The same security mechanisms that are protecting the web site now protect the mobile sites and hybrid apps.  Since the cloud only talks to the production web site, it introduces no new risk.

Mobile security of this type is not as exciting as buying glamorous mobile infrastructure security products, or engaging in back-end archeology.  But leverage works, and its a solid plan for the future that stands up to web site changes.  Oh you can lavish some of the money you save on the front end, and everyone will ooh and ahh.

And there'll be lots left for dinner and drinks, and maybe a conference in Honolulu.  Now that’s a comprehensive mobile strategy.