One thing to bear in mind when evaluating the significance of vulnerable libraries is that there are different degrees of owned-ness.
* The ability to get a containerized app to promote you to an in-app admin
* Getting RCE as the application user
* Escalating from the application user to the container's root
* Going from container root to attacking the host
Each of these represents, broadly, an increase in threat. Each attack can be aided by outdated and vulnerable versions of libraries or utilities. It's not always obvious what in your container can be attacked or used to escalate, and how a developer intends a container to be used isn't always a good guide.
Designing for safety means designing for safe failure. Designing for security means designing for being pwned and minimizing the blast radius. The common term of art is "defense in depth".
* The ability to get a containerized app to promote you to an in-app admin
* Getting RCE as the application user
* Escalating from the application user to the container's root
* Going from container root to attacking the host
Each of these represents, broadly, an increase in threat. Each attack can be aided by outdated and vulnerable versions of libraries or utilities. It's not always obvious what in your container can be attacked or used to escalate, and how a developer intends a container to be used isn't always a good guide.
Designing for safety means designing for safe failure. Designing for security means designing for being pwned and minimizing the blast radius. The common term of art is "defense in depth".