It's easy to tunnel-vision into the security of your own code and forget that everything you depend on must also be secure. This could span from your framework's cookie signing to the version of OpenSSL you're using on the server to the access controls of your VPS.
Unattended upgrades are a good start for your OS-managed dependencies, but make sure to keep up with your app-managed dependencies. You could setup a continuous-integration thing that runs your tests against the latest minor versions of all of your dependencies and upgrades when deemed safe, though you need excellent test coverage to get away with it.
Anyone know of great resources for managing your deployments and dependencies? Something other than "here's how we use docker."
Related plug: There is https://appcanary.com/ which is a dependency vulnerability alerting service (disclaimer: I'm friends with the founders, swell folks who genuinely care about improving the safety of code everywhere). Many vulnerability databases are public, but keeping track of things—especially across platforms and database providers—is really painful.
Unattended upgrades are a good start for your OS-managed dependencies, but make sure to keep up with your app-managed dependencies. You could setup a continuous-integration thing that runs your tests against the latest minor versions of all of your dependencies and upgrades when deemed safe, though you need excellent test coverage to get away with it.
Anyone know of great resources for managing your deployments and dependencies? Something other than "here's how we use docker."
Related plug: There is https://appcanary.com/ which is a dependency vulnerability alerting service (disclaimer: I'm friends with the founders, swell folks who genuinely care about improving the safety of code everywhere). Many vulnerability databases are public, but keeping track of things—especially across platforms and database providers—is really painful.