You don't need to ssh into the box to take care of Rails vulnerabilities; just redeploy. Heroku is taking care of any vulnerabilities in the rest of the stack: Postgres, Nginx, SSH, etc.

The thing is, that's actually the easy bit - use apt-get upgrade on say Ubuntu lts and you will very rarely see problems with your upgrade of software like Postgres, apache, ssh or nginx - it's so widely used that you're unlikely to run into issues, and upgrading takes a few minutes every few months.

The thing you need to test then deploy are upgrades to your language and framework/app, and those present exactly the same problem on heroku or on say a vps. You can't just redeploy your app without testing on a new config, and deploys to heroku are no easier or harder than deploys to your own server once set up.

You also don't need to ssh into the box with chef...

Technically you're both wrong - both chef and git use ssh as an underlying transport.

Pedant time! ssh is just one of many transports that git can use.

He's right though about Heroku, you use ssh as the transport to deploy via git.

Who says it's a rails app? I run a couple raw-rack apps that hum along just fine with very, very occasional updates.