Broke but Breached: Secret Scanning at Scale on a Student Budget
Unknown
BSides Las Vegas 2025 · Day 1
This session presents a large-scale **secret scanning** research effort focused on **Visual Studio Code extensions** in the public marketplace. The speaker, who introduces herself as Ravita and describes recently completing a master’s in cybersecurity at the University of Maryland College Park, frames the work as a mission to find exposed **secrets** before attackers do. The talk is explicitly scoped to VS Code extensions because of rapid marketplace growth from roughly 2023 to 2025 and the speaker’s observation that extensions are often bundled with configuration and **environmental variables** that leak credentials. The narrative connects public-secret leaks to real breaches in principle (the transcript cites **SolarWinds** in the context of **FTP credentials** pushed to **GitHub** as an example of preventable leakage) and argues that pipeline checks could reduce such incidents. The core contribution is operational: how to crawl, download, and scan a very large extension corpus using **TruffleHog**, **Kubernetes**, and minimal cloud spend—on the order of **under fifteen dollars** in the speaker’s account.
AI review
Practical, systems-minded secret scanning at real marketplace scale with honest constraints (CPU, rate limits, budget). The TruffleHog-plus-Kubernetes story is reproducible in spirit and the findings—while partly aggregate—include enough verified categories to matter.