Cloud Foundry secures containers through the following measures:
Running application instances in unprivileged containers by default
Hardening containers by limiting functionality and access rights
Only allowing outbound connections to public addresses from application containers. This is the original default. Administrators can change this behavior by configuring ASGs.