Ellie Mae has a large ecosystem of Partners who ensure customers can efficiently engage, originate, close, and sell loans. Our high security standards protect thousands of customers and our ever-expanding Partner network.
At Ellie Mae, we continuously enhance our code and security assurance processes to help Partners deliver high-quality and secure integrations. The following security standards are the minimum that must be in place before a Partner integration can be approved for production. These standards are referenced in the contract between Ellie Mae and the Partner.
The Partner must allow Ellie Mae to conduct a TLS analysis.
The Partner must maintain an overall rating of A or above per the TLS server tests.
The Partner must conduct a static code scan if the application is hosted on a lender environment, and the report should be shared with EllieMae.
Digital certificate requirements:
- The Partner must not use wildcard certificates.
- The certificate key type and size must be RSA 2048 bits or stronger.
- The certificate must be in active status and not expire within a year of submission.
- The certificate chain must be signed by a third-party certificate authority (CA) for the server certificate, intermediate CA, and root CA.
- The certificate must be trusted.
- There should be no trust chain issues.
- Secure communication requirements:
- Data communication must use HTTPS.
- Data-in-transit secure communication protocol must be TLS 1.2 and above.
- The server must be configured with HTTP Strict Transport Security.
- TLS compression must be disabled as it may allow for a CRIME attack.
- The servers must not be vulnerable to the following:
- POODLE over TLS
- OpenSSL padding-oracle flaw (CVE-2016-2107)
- CVE-2014-0224 (OpenSSL CCS flaw)
- CVE-2009-3555 (client-initiated insecure renegotiation could allow MITM attacks)
- The server must support the TLS_FALLBACK_SCSV extension for protocol downgrade attack prevention
- Forward Secrecy is required. Based on the platform, the Partner utilizes the following protocols and associated ciphers.
- Partners are to use only the approved ciphers or policy listed for the cloud platform below.
Additional ciphers may be enabled for TLSv1.2 regardless of platform:
- The Partner must use AES encryption with a key strength of 256 bits to encrypt the data received from Ellie Mae at REST.
- The Partner must implement IP-whitelisting support between the Partner’s and Ellie Mae’s EPC servers.
- The Partner must inform Ellie Mae of any significant security incidents, such as data breach incidents, within 4 hours.
Updated 7 months ago