Starting a BTC/ETH company?

This list of security incidents was created to get your attention and point you to security resources.

These will be your primary security concerns:

1. Protect key material. Your servers will be accessed.
2. Be defensive against application vulnerability. You will have bugs.
3. Protect all authentication to your cloud infrastructure (2Fac, Strong + Unique Passwords). Your employees will re-use passwords and bad guys will get them.
4. Limit the exposure of funds with cold storage, HSMs, and Multi-Signature transactions. This is because intrusions will happen anyway.
5. Design for collusion whenever possible for sensitive or high value operations. Don’t allow a lone insider too much influence.

If this seems intimidating, here’s some further advice!

Bitcoin Specific Advice

These are practices that are unique to blockchain companies.

• Cold Storage can reduce the impact of a security breach from 100% to a configurable percentage. After this, reduce your risk of a large hot wallet even further with cryptographic hardware or multisignature transactions.
• After reducing the amount of funds you’d store in a “Hot Wallet”, use multisignature transactions to secure a hot wallet even further.
• Use an HSM that will protect key material and make it extremely hard to make a transaction that cannot be audited. It will also defend greatly against insider threats.

General Security

These are practices that are common at any company, not just a blockchain company.

• Starting up Security is advice for company wide security.

• Product Security and Modern Product Security discuss the development of a secure product.

• Investigating Account Takeover discusses the massive amounts of phishing, malware, and other attacks that will directly target and steal from your customers.

• Preventing Account Takeover will discuss the automated ways you can prevent takeover of your customer accounts.

• Bounty Launch Lessons and Bug Bounty 5 Years In will help you start a bug bounty program from scratch. You want your bugs to look like disclosures instead of complete and total failures.

• Red Teams will help you simulate a worst case incident scenario before it happens.

• Scott Roberts from Github writes about hunting for adversaries on your infrastructure. Ryan Huber from Slack discusses approaches to alerting.

• Security Breach 101 will help you understand the complex coordination of an incident in progress.

• Coinbase’s security should also act as a reference model for your own security program.

About

This started as bitcoin_breaches.txt on my laptop and figured it would pair well with Starting Up Security for the BTC / ETH community. A much more broad list exists here at bitcointalk that includes scams and fraud.

Feel free to suggest additions to the graveyard or advice section in pull requests.