My Deciduous co-conspirator, Ryan Petrich1, created a Visual Studio Code extension (Deciduous-VS) that lets you edit decision tree threat models alongside a live graph preview within VSCode.

This is a cool DX upgrade in itself, but this release also makes Deciduous compatible with GDPR and other regimes requiring a local development experience… like classified environments (you’re welcome federal Deciduous fanbois across the world (u know who u are)2).

If you aren’t familiar with the open source Deciduous project, nor familiar with the delectation of developing decision trees via threat modeling as code3, visit the repo for examples and getting started resources.

why use Deciduous-VS?

The Deciduous VSCode extension lets platform engineering, app dev, or security teams build decision tree-based threat models with the same live, interactive experience as the web app but within the world’s most popular IDE.

In practice, most engineering teams build and update Deciduous threat models in a collaborative fashion. Harnessing behavioral game theory to prepare for adverse scenarios requires variegated perspectives and assumption-poking by your own co-conspirators (although especially neurotic individuals, like yours truly, may enjoy solo play, too).

You’ll likely pull up Deciduous on a shared virtual screen or big screen if IRL, making on-the-fly changes to the YAML code that defines the decision tree on-the-fly. With each change – in the spirit of immediate gratification that the technological society demands – Deciduous-VS immediately updates the rendered graph in VSCode’s secondary editor pane.

A screenshot of Deciduous-VS running inside of Visual Studio Code, with YAML code in the left pane describing an example decision tree and a visual rendering of the threat model in the right pane. The attack tree describes the scenario of sensitive video recordings stored in S3. Each branch reflects a series of attacker actions and defensive mitigations, such as, “If the S3 bucket is public, the attacker can use the Wayback archive to find them; but if defenders make the bucket private, attackers now must brute force their way past access control.” The scenarios are organized into an easily navigable tree that makes it easier to mentally model adverse scenarios across spacetime.

Using Deciduous-VS doesn’t lock you into VScode for your decision trees; you can share the Deciduous .yaml’s between the hosted (web) version and IDE version – while respecting your organization’s classification or compliance requirements, naturally4.

Deciduous-VS vs. deciduous.app

Deciduous-VS offers most of the features available in the hosted app, including:

  • Easy YAML structure to configure your decision trees using facts, attacks5 (which can be any type of failure to generalize to other platform engineering scenarios), and mitigations
  • Subjective commentary (i.e. optional shade throwing) on connections between nodes, e.g. labeling a decision to perform some action as '\#yolo'
  • Syntax highlighting to identify and keep track of facts, mitigations, and attacks/failures within your code
  • Clickable nodes and edges in the graph that highlight the corresponding YAML source code to make navigating complex scenarios quicker
  • Three graph color schemes that match the web app: dark, light, and accessible6

But! We actually gain more than just deciduous.app parity by slogging our way through Azure’s convoluted IAM packaging decision tree-based threat modeling into VSCode, sprouting new functionality like:

  • Quickly toggling between multiple decision trees in different tabs: useful for comparing trees or, as I’ve often found when advising organizations through their cross-team threat modeling exercises, quickly flipping to a specific graph when inspiration strikes while editing a different graph (part of why decision trees are so effective for threat modeling is how they nurture emergent, evolving ideation7)
  • Right-click export of the graph as PNG, SVG, or DOT directly to the local directory of your choice: useful for sharing the visual representation of Deciduous attack trees into other systems, from the comfort of your IDE
  • Interactive git integration via VSCode’s native SCM features: useful to version decision trees over space and time as their unique context changes
  • Collaborative editing via VSCode Live Share: useful for working with coworkers/co-conspirators/comrades on a decision tree without the hassle of screen sharing where only one human can make edits and everyone has to put up with blurry delayed text8
  • Humoring security puritans: useful for editing behind a firewall or with a corporate policy that prohibits entering proprietary information into a web page (as we keep stressing, the server running deciduous.app doesn’t process your data; Deciduous runs entirely local within your browser, but the kind folks writing such security policies do not understand this (or pretend not to) nor know how to audit the source code (which is open), seemingly9)

installing Deciduous-VS

To get started, search for Deciduous-VS in the VS Code extension “activity”10 or press the Install button on this Visual Studio marketplace link. Once installed, activate Deciduous from the Command Palette or press the default assigned keyboard shortcut of Ctrl+Shift+D on Windows/Linux or ⌘⇧D on macOS.

By pressing these arcane symbols in the sacred order, you will command the thinking sand to vibe the Deciduous preview pane into life.

An animated gif demonstrating how to use Deciduous-VS within VSCode, including clicking on attack or mitigation nodes to jump to the relevant YAML code that defines the node, and any interactions between it and other nodes. It also demonstrates how the graph in the visual pane on the right side of your IDE changes as you update the YAML code.

Many thanks to @fire opening the VScode extension request as well as to all my cherished fanbois who’ve bugged me for a local version over the years.

As always, we beseech you to publish your own use cases to propitiate us keep inspiring the Deciduous community and prove that threat modeling deserves civilized workflows. Please open issues in the repo should you have requests or send feedback via carrier pigeon11.

  1. in fairness, yours truly did attempt to write a Deciduous VS code extension last year, but did not finish due to the grim vicissitudes of living in a mortal society, and, subsequently, due to secret professional-flavored vagaries I will reveal in a few lunations as kindling against the raw, frostbitten nadir of northward winter, and I believe my co-conspirator grew impatient and thus spite-driven dev’d his way into building it over a long weekend, to my surprise and unabashed delight ↩︎

  2. a little birdie told me y’all often use VS code for your spooky lil deep state dev, we’re ok with you using deciduous for role reversal xoxo ↩︎

  3. just like everything had to be aaS a decade ago, so must everything be “as code” now… but wait, if we made this a B2B startup, would it then be Behavioral Decision-tree Security Modeling as a service??? ↩︎

  4. we won’t tell; snitches get ditches (but also this is a labor of spite love, so we aren’t paid enough to tell, and delvauxs don’t buy themselves) ↩︎

  5. they fact but they also attacc?? ↩︎

  6. the three genders, according to ao3 ↩︎

  7. the corporate way of saying it works with your adhd rather than against it ↩︎

  8. or the human has an uncorporately wide monitor because they repurposed their old curved gaming screen and tries to apologize for the absurd aspect ratio over zoom but then the others accuse them of humble bragging as if size queening over monitors isn’t so 2000 and late and boys, girls, and whirlidirls, if you only knew how my bilighting gaming rig is as hot as my nyc apartment radiators as is my penchant for orotund whale facts as is the yearning for meaning in the soul of any man haunted by hopes boiled in beluga blubber lamps, adrift with salt spray orisons barnacled in existentialist obsession, and what else would sink a man to such foamy, gloaming fathoms of meta? ↩︎

  9. or maybe this is you and you now know this! Learning and adapting is a beautiful, deserved act of self-compassion ↩︎

  10. Microsoft calls them “activities” like VSCode is a Chuck-e-cheese ↩︎

  11. ideally attaching a knead love feelings brownie as bribery, I’m sure the pigeon can make it to the fastly nyc offices ↩︎