Integrity in information security refers to the guarantee that data remains accurate, complete, and unaltered throughout its lifecycle. It ensures that information has not been modified by unauthorized parties, whether during storage, processing, or transmission. Integrity is one of the three pillars of the CIA triad (Confidentiality, Integrity, Availability) that forms the foundation of information security.
How It Works
Integrity controls operate at multiple levels. At the data level, cryptographic hash functions and HMACs verify that content has not been changed. When a file is downloaded, comparing its SHA-256 checksum against the published value confirms it was not tampered with during transit. Digital signatures go further by proving not only that data is unmodified but also that it was created by a specific entity.
At the application level, integrity means ensuring that users can only modify data they are authorized to change, and only through intended operations. Database constraints, transaction controls, and audit logging maintain data integrity. An e-commerce application must ensure that a user cannot modify the price of an item in their cart by manipulating the request. A banking application must ensure that transfers are atomic: either the full transaction completes or none of it does.
At the system level, integrity monitoring detects unauthorized changes to files, configurations, and code. File integrity monitoring systems compare current file states against known-good baselines and alert when changes occur. Code signing ensures that software has not been modified since the developer published it. Subresource Integrity (SRI) in web applications verifies that scripts loaded from CDNs have not been tampered with by comparing their hash against an expected value in the HTML tag.
Why It Matters
Integrity violations can be subtle and devastating. A modified configuration file might weaken security controls without anyone noticing. A tampered JavaScript file loaded from a compromised CDN could harvest credentials from every visitor. A manipulated database record could change account balances or permissions.
Security assessments test integrity controls by attempting to modify data through unauthorized channels, bypass transaction controls, and tamper with signed or hashed values. Weak integrity controls often indicate deeper architectural issues with trust boundaries and data validation.
Need your application tested? Get in touch.