You should assume your site is going to be hacked, and design with that in mind.
Blaming things on "poor coding" is a get out. There will always be bugs. You must be sure your procedures, your protocols, are faultless despite these bugs.
The majority of bitcoins should be in offline storage, and your hot wallet should be on its own dedicated server, with access through some kind of very limited API that does sanity checks and rate limiting on everything. (Access could be through a custom and very carefully written daemon i.e. not just some Apache HTTP API with associated vulnerabilities!)
Ideally, the user owns an encryption key that is used to somehow client side sign transactions (or any other action they take) which are applied to their account or the hot wallet.
Even then, a hacker could presumably hijack the serving of your pages, modify the crypto etc to steal their key. But at least if the user's key was only generated once and is only used by them occasionally, the chance for massive theft is reduced. Two factor auth may help too.
You could have daemons on other hidden servers that regularly check your site and its resources for tampering, suspending everything if necessary. Perhaps release a browser add-on which verifies your site. Your entire site could be signed, and the add-on could request a new signature to verify any changes. (And you perform this signing offline). As long as the user's browser or the add-on publishing system doesn't get compromised, you'll be alright ;)
To summarise all that:
- client side encryption/authorisation of any action a user can take
- this simply tunnels through the terribly insecure WWW/apache etc layer to a very limited access highly secure "hot wallet" server
- some way of verifying that client side encryption is not compromised, e.g. watchdogs running on IPs unknown to attackers
- (and lots of other watchdogs all over the place which halt service at the slightest cause for concern)
You'll do all this and then your hosting provider will be compromised by social engineering.
At the end of the day, all said and done, your most effective protection will be the offline cold wallet with manual (and slow and annoying) transfers of customer's funds, and regular audits to check all funds are actually there (mtgox lol).
btw, this is written by somebody with no background in security, imagine what somebody who did have such a background might write ;)
Final point: If you are thinking of running a wallet service, don't. Just don't. Give up now. It's going to end in tears, and death threats.
Right. I'm pretty good with security, but you're absolutely right. A second and third pair of eyes are great! I'm inviting some local friends who work in security over for a weekend hackathon before the site launches. We'll eat pizza, and run every kind of attack we can think of against the thing. I just don't want to look like an idiot, if there's anything else I can think of ahead of time that I'm not on top of. And I certainly don't want to get goxed after the fact. – Yitzhak – 2014-03-05T13:17:44.513
I wish you luck with your website and suggest you not to keep all the bitcoins on the server. If you get hacked that means you are growing :P – Khan Shahrukh – 2014-03-06T16:32:17.660