There is a ton of bitcoin information, but it's hard to find up to date best practices for making webapps. I am very comfortable making secure webapps, and I'd like to start some bitcoin related webapps, and using a merchant solution like bitpay is not an option. Could someone steer me towards the right keywords and concepts to do this?

When starting a bitcoin webapp, where each account can send and receive bitcoin, what are the best practices around bitcoin transactions? How are bitcoin transactions around accounts handled for online exchanges? Should each account be set up as a separate wallet? Or is it safe enough to give each account an address and record a balance and transaction history tied to each account? Is it necessary to use bitcoind or are there other methods for making transactions?

What kinds of security/safeguards should all bitcoin webapps have (i.e. is it necessary to have cold storage?, two factor auth, etc)?

Edit: I'd like to originate and also receive bitcoin payments. I want to make it easier for people to get started if they have friends that already have bitcoin. So a bitcoin holder can set up an account. Then s/he can email bitcoin to the friend via the app. The app then emails the friend the transaction details if they already have an account; otherwise it will sends an invitation to create an account along with some intro to bitcoin articles. Paying a X% processing fee doesn't make sense in this case where I expect most transactions to be small.