Security Review Process for Production

Ellie Mae has a large ecosystem of Partners who ensure customers can efficiently engage, originate, close, and sell loans. Our high security standards protect thousands of customers and our ever-expanding Partner network.

At Ellie Mae, we continuously enhance our code and security assurance processes to help Partners deliver high-quality and secure integrations. The following security standards are the minimum that must be in place before a Partner integration can be approved for production. These standards are referenced in the contract between Ellie Mae and the Partner.

Security Process Checklist

  1. The Partner must allow Ellie Mae to conduct a TLS analysis.

  2. The Partner must maintain an overall rating of A or above per the TLS server tests.

  3. The Partner must allow Ellie Mae to perform static code scans of the Partner API or of code for any JavaScript or API-related vulnerabilities that could infect the Ellie Mae environment.

  4. The Partner must conduct a static code scan if the application is hosted on a lender environment, and the report should be shared with EllieMae.

  5. Digital certificate requirements:

  • The Partner must not use wildcard certificates.
  • The certificate key type and size must be RSA 2048 bits or stronger.
  • The certificate must be in active status and not expire within a year of submission.
  • The certificate chain must be signed by a third-party certificate authority (CA) for the server certificate, intermediate CA, and root CA.
  • The certificate must be trusted.
  • There should be no trust chain issues.
  1. Secure communication requirements:
  • Data communication must use HTTPS.
  • Data-in-transit secure communication protocol must be TLS 1.2 and above.
  • The server must be configured with HTTP Strict Transport Security.
  • TLS compression must be disabled as it may allow for a CRIME attack.
  • The servers must not be vulnerable to the following:
  • POODLE over TLS
  • OpenSSL padding-oracle flaw (CVE-2016-2107)
    • Heartbleed
    • CVE-2014-0224 (OpenSSL CCS flaw)
    • CVE-2009-3555 (client-initiated insecure renegotiation could allow MITM attacks)
    • RC4
  • The server must support the TLS_FALLBACK_SCSV extension for protocol downgrade attack prevention
  • Forward Secrecy is required. Based on the platform, the Partner utilizes the following protocols and associated ciphers.
  • Partners are to use only the approved ciphers or policy listed for the cloud platform below.

Platform

Product/Policy

Cipher

Azure

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

AWS

  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256

Heroku

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Additional ciphers may be enabled for TLSv1.2 regardless of platform:

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA256
  • ECDHE-RSA-AES256-CBC-SHA384
  • ECDHE-RSA-AES256-CBC-SHA256
  • ECDHE-RSA-AES128-CBC-SHA256
  • ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA256
  • ECDHE-ECDSA-AES256-CBC-SHA384
  • ECDHE-ECDSA-AES256-CBC-SHA256
  • ECDHE-ECDSA-AES128-CBC-SHA256
  • ECDH-RSA-AES128-CBC-SHA256
  • ECDH-ECDSA-AES256-GCM-SHA384
  • ECDH-ECDSA-AES256-CBC-SHA384
  • ECDH-ECDSA-AES128-GCM-SHA256
  • ECDH-ECDSA-AES128-CBC-SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  1. The Partner must use AES encryption with a key strength of 256 bits to encrypt the data received from Ellie Mae at REST.
  2. The Partner must implement IP-whitelisting support between the Partner’s and Ellie Mae’s EPC servers.
  3. The Partner must not include any third-party URLs in the JavaScript code hosted by Ellie Mae on the Partner’s behalf.
  4. The Partner must inform Ellie Mae of any significant security incidents, such as data breach incidents, within 4 hours.

Did this page help you?