Nova Silva Power BI Certified visuals: Ensuring Security and Privacy
In this article we will explore how using Power BI Certified visuals help organizations to protect data integrity and ensure the security and privacy of sensitive information.
What are Power BI Certified visuals?
Certified Power BI visuals are visuals in AppSource that meet certain specified code requirements that the Microsoft Power BI team has tested and approved. The tests are designed to check that the visual doesn’t access external services or resources, and that it follows secure coding patterns and guidelines. All certified visuals must pass all the certification requirements.
Why are Nova Silva visuals Power BI Certified?
All our Power BI visuals (including the Shielded HTML Viewer) are certified by Microsoft. At Nova Silva we develop visuals based on the Microsoft Certification requirements, so our visuals are tested to verify that they don’t access external services or resources, and that they follow secure coding patterns and guidelines. An important requirement to pass the Microsoft certification tests is that the visuals cannot connect with any external server or service. In other words: our visuals do not share any of your data with anyone, not even with us. This is the main reason why we certify all our visuals: we want to make sure you are the only party that can access your data.
When you use our visuals, you do not make use of any Nova Silva infrastructure or platform. Our visuals do not share data with any external service or resource, we have no access to any of your data, nor do we play a role in any production services. We publish our visuals (and any updates) to Microsoft. Microsoft will check our code to determine if it complies with their quality and security standards. After passing these certification tests, Microsoft will publish the visual to the Microsoft AppSource. This is where you will download and use it from. The next image gives an overview of how we work with Microsoft on our Power BI visuals.
The code of our visuals (at run time) are on a Microsoft managed environment. The only way we can change this code is through the Microsoft Certification process. Our visuals interact with Power BI through a Visuals API. This API provides the visual with the right data and context. The visual only renders the result on the screen within Power BI.
Microsoft Certification Process
This is the process to certify our visuals:
- Comply with Microsoft’s Certification requirements.
- Submit the Power BI visual for certification: visual is published via the Partner Center.
- Certification Test: every time a new version of a certified visual is submitted to the marketplace, the visual’s version update goes under the same certification checks. The version update certification is automatic. If the update is rejected because of a violation, an email is sent to the developer explaining what needs to be fixed.
- Publication timeline: the process of deploying to AppSource may take some time. The Power BI visual will be available to download from AppSource when this process is complete.
Each time we develop or update a visual we perform our own internal testing to make sure we comply with all Microsoft certification requirements. Then we publish the source code to Microsoft, and they perform their Certification Test. After passing all tests Microsoft will publish the visual to the Microsoft AppSource. This is the environment where our customers can access the visual and use it within their Power BI Environment.
Each time we publish a (new) version of our visual it first needs to pass the Microsoft Certification tests. This includes a thorough review of our source code by Microsoft engineers. A certified visual cannot lose its certification with a new update. Instead, the update is rejected. If the update is rejected because of a violation, an email is sent to Nova Silva explaining what needs to be fixed.
What are the requirements to get Power BI Certified?
These are some of the requirements to get a Power BI visual certified.
List of requirements:
- Share the source code with Microsoft via private repository (with two-factor authentication)
- Use the latest API version
- Use ESLint with the Microsoft required security rules to scan errors and security violations
- Use latest version of powerbi-visuals-tools to write the Power BI visual
- 1200 Power BI visuals additional certification policies
- Use only public reviewable OSS components
- Support Rendering Events API
- DOM is manipulated safely
- Visual is approved for publishing in the AppSource
- Do not pass or transmit customer data externally
- Not accessing external services or resources by the visual
Before submitting a Power BI visual for certification:
- The visual needs to comply with the guidelines for Power BI visuals
- The visual needs to pass all these required tests
- The compiled package exactly matches the submitted package
To learn more about the certification process, go to Microsoft.
What tests are done during the certification process?
The certification process tests include, but aren’t limited to:
- Code reviews
- Static code analysis
- Data leakage
- Data fuzzing
- Penetration testing
- Access XSS testing
- Malicious data injection
- Input validation
- Functional testing
What is not allowed?
- Accessing external services or resources. For example, no HTTP/S or WebSocket requests can go out of Power BI to any services. Therefore, WebAccess privileges should be empty, or omitted, in the capabilities settings.
- Using
innerHTML
, orD3.html(user data or user input)
. - JavaScript errors or exceptions in the browser console, for any input data.
- Arbitrary or dynamic code such as
eval()
, unsafe use ofsettimeout()
,requestAnimationFrame()
,setinterval(user input function)
, and user input or user data. - Minified JavaScript files or projects.
How to identify Power BI Certified visuals in AppSource?
Certified visuals will be clearly identified by:
- Filtering with Sort by: Power BI Certified to display only certified Power BI visuals in the AppSource.
- With a small badge (yellow or blue checkmark) on the visual’s card, both in AppSource or when importing from within Power BI interface.
- When the Power BI visual card is clicked in AppSource, a PBI Certified yellow badge and the message under Visual capabilities will indicate that This visual is certified by Power BI.
Non-certified visuals: some Power BI visuals aren’t certified because they don’t comply with one or more of the certification requirements. For example, a map Power BI visual connecting to an external service, or a Power BI visual using commercial libraries can’t be certified.
When that is the case the visual has no badge and will show this information:
Did you know?
Microsoft certified our first Power BI visual, the Shielded HTML Viewer, back in 2020! It was a long process and took several code reviews by Microsoft before we got our first visual certified.
Sometimes, users report the Shielded HTML Viewer does not work with LinkedIn or YouTube, our visuals do not render anything from any external server or service as this is one of the main requirements to be certified. This can only be achieved with a non-certified visual.
Currently all Nova Silva visuals are Power BI Certified, this guarantees our visuals are safe and secure and ensures they meet the highest data security standards.
We are committed to maintain those standards, all our visuals are either certified or in the process of getting certified.
Power BI certified visuals offer more features than non-certified visuals, like:
– Export to PowerPoint
– Export to PDF
– or display the visual in received emails when a user subscribes to report pages.