Security Review Process for Production

Ellie Mae has a large ecosystem of Partners who ensure customers can efficiently engage, originate, close, and sell loans. Our high security standards protect thousands of customers and our ever-expanding Partner network.

At Ellie Mae, we continuously enhance our code and security assurance processes to help Partners deliver high-quality and secure integrations. The following security standards are the minimum that must be in place before a Partner integration can be approved for production. These standards are referenced in the contract between Ellie Mae and the Partner.

Security Process Checklist

  1. The Partner must allow Ellie Mae to conduct a TLS analysis.

  2. The Partner must maintain an overall rating of A or above per the TLS server tests.

  3. The Partner must allow Ellie Mae to perform static code scans of the Partner API or of code for any JavaScript or API-related vulnerabilities that could infect the Ellie Mae environment.

  4. The Partner must conduct a static code scan if the application is hosted on a lender environment, and the report should be shared with EllieMae.

  5. Digital certificate requirements:

  • The Partner must not use wildcard certificates.
  • The certificate key type and size must be RSA 2048 bits or stronger.
  • The certificate must be in active status and not expire within a year of submission.
  • The certificate chain must be signed by a third-party certificate authority (CA) for the server certificate, intermediate CA, and root CA.
  • The certificate must be trusted.
  • There should be no trust chain issues.
  1. Secure communication requirements:
  • Data communication must use HTTPS.
  • Data-in-transit secure communication protocol must be TLS 1.2 and above.
  • The server must be configured with HTTP Strict Transport Security.
  • TLS compression must be disabled as it may allow for a CRIME attack.
  • The servers must not be vulnerable to the following:
  • POODLE over TLS
  • OpenSSL padding-oracle flaw (CVE-2016-2107)
    • Heartbleed
    • CVE-2014-0224 (OpenSSL CCS flaw)
    • CVE-2009-3555 (client-initiated insecure renegotiation could allow MITM attacks)
    • RC4
  • The server must support the TLS_FALLBACK_SCSV extension for protocol downgrade attack prevention
  • Forward Secrecy is required. Based on the platform, the Partner utilizes the following protocols and associated ciphers.
  • Partners are to use only the approved ciphers or policy listed for the cloud platform below.
PlatformProduct/PolicyCipher
Azure TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
AWS ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
AES128-GCM-SHA256
AES256-GCM-SHA384
* AES128-SHA256
Heroku TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Additional ciphers may be enabled for TLSv1.2 regardless of platform: ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA256
ECDHE-RSA-AES256-CBC-SHA384
ECDHE-RSA-AES256-CBC-SHA256
ECDHE-RSA-AES128-CBC-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA256
ECDHE-ECDSA-AES256-CBC-SHA384
ECDHE-ECDSA-AES256-CBC-SHA256
ECDHE-ECDSA-AES128-CBC-SHA256
ECDH-RSA-AES128-CBC-SHA256
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-CBC-SHA384
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-CBC-SHA256
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
  1. The Partner must use AES encryption with a key strength of 256 bits to encrypt the data received from Ellie Mae at REST.
  2. The Partner must implement IP-whitelisting support between the Partner’s and Ellie Mae’s EPC servers.
  3. The Partner must not include any third-party URLs in the JavaScript code hosted by Ellie Mae on the Partner’s behalf.
  4. The Partner must inform Ellie Mae of any significant security incidents, such as data breach incidents, within 4 hours.

What’s Next