Applying security updates, indeed any update, is cringe-inducing. We apply security updates manually, check if some previous developer hacked whatever module we're updating (or core), we have to remember to look inside a /patches directory; then, when we're done update, we somehow have to confirm that nothing is broken, without any guidance of what we need to check -- so we click around our site aimlessly before determining that an update works.
In this talk we will look at a Docker-based approach to managing site assets for local development which guarantees your site is always up-to-date, and fails in case a new version of a module (or core) has an unmet dependency or a patch which no longer applies.
We will look at the idea of build step which generates code for remote hosting only when needed; we will look at how to write end-to-end tests which guarantee that your critical site functionality never breaks, and how to keep everything under continuous integration.
Finally we will look at how Drupalgeddon-type events can be managed in such a workflow.