Add a new page on supply chain attacks (#41034)

* Add a new page on supply chain attacks

* Add some glossary pages

* Use MFA glossary entry

* More references to MFA

* Use CI glossary entry

* tweak CI definition

* Rename page

* Apply suggestions from code review

Co-authored-by: Florian Scholz <[email protected]>

* Apply suggestions from code review

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Defense summary should be H2

* Add a bit on SRI

* Talk about lock files

* lock file->lockfile

* Don't use SMS as an authentication example

* Link lockfiles to SBOMs

---------

Co-authored-by: Florian Scholz <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: 3 people

files/en-us/glossary/authentication/index.md

@@ -7,15 +7,15 @@ sidebar: glossarysidebar
 
 **Authentication** is in general the process of proving that some fact is genuine. More specifically, in web security, it is the process of verifying the claimed identity of some entity, such as a user. This then makes it possible to decide whether to grant the user the access that they are requesting, such as being signed into a particular account.
 
-Authentication is typically performed by having a user present a user identifier along with a {{glossary("credential")}}, such as a password, a one-time SMS code, or an assertion signed with a private key. The system then checks the binding between the user identifier and the credential, so it can decide whether or not to authenticate the user.
+Authentication is typically performed by having a user present a user identifier along with a {{glossary("credential")}}, such as a password, a one-time code, or an assertion signed with a private key. The system then checks the binding between the user identifier and the credential, so it can decide whether or not to authenticate the user.
 
 Types of authentication information, also called _authentication factors_, are commonly presented in three categories:
 
 - Something the user knows, such as a password.
 - Something the user has, such as a phone.
 - Something the user is, such as a thumbprint.
 
-Multi-factor authentication (MFA) systems require the user to provide more than one factor: for example, a password combined with a one-time code sent to the user's phone.
+{{glossary("Multi-factor authentication")}} (MFA) systems require the user to provide more than one factor: for example, a password combined with a one-time code generated using an authenticator app on the user's phone.
 
 ## See also
 

files/en-us/glossary/continuous_integration/index.md

@@ -0,0 +1,16 @@
+---
+title: Continuous integration
+slug: Glossary/Continuous_integration
+page-type: glossary-definition
+sidebar: glossarysidebar
+---
+
+Continuous integration (CI) is a software development practice in which changes to the source are frequently integrated into the main codebase.
+
+It's an important practice whenever a team of developers is working on a shared codebase. In this situation, different developers might be making overlapping changes to the code at the same time, each in their personal branches. Frequent integration of each developer's changes makes it much less likely that conflicts will occur, and much easier to resolve them when they do.
+
+As [Martin Fowler observes](https://martinfowler.com/articles/continuousIntegration.html#EveryonePushesCommitsToTheMainlineEveryDay):
+
+> Integration is primarily about communication. Integration allows developers to tell other developers about the changes they have made. Frequent communication allows people to know quickly as changes develop.
+
+A major aspect of CI is automated build and test: typically, in a CI system, as soon as a developer opens a pull request to commit their changes to the main branch, an automated process builds the product and runs tests. Once all the tests pass, the change can be peer-reviewed.

files/en-us/glossary/multi-factor_authentication/index.md

@@ -0,0 +1,18 @@
+---
+title: Multi-factor authentication
+slug: Glossary/Multi-factor_authentication
+page-type: glossary-definition
+sidebar: glossarysidebar
+---
+
+Multi-factor authentication (MFA) is an authentication method in which the user has to present more than one type of evidence to a system in order to be authenticated.
+
+Most commonly, three different types of evidence (or _factors_) are distinguished:
+
+- Something you know, such as a password or PIN
+- Something you have, such as a cellphone or a hardware security token
+- Something you are: a biometric such as a fingerprint
+
+If an authentication system requires the user to provide more than one of these factors in order to authenticate, then it is a multi-factor system.
+
+For example, the system might ask the user for a password as well as a code generated by the authenticator app on their phone.

files/en-us/glossary/principle_of_least_privilege/index.md

@@ -0,0 +1,12 @@
+---
+title: Principle of least privilege
+slug: Glossary/Principle_of_least_privilege
+page-type: glossary-definition
+sidebar: glossarysidebar
+---
+
+The principle of least privilege is a design consideration in computer security, according to which entities (including users, system processes, or programs) should be granted the minimum amount of access that they need in order to do their jobs.
+
+For example, in a software development team, all members might need the ability to write to the source code repository, but only a subset of the team might need the ability to alter the repository's security settings.
+
+Applying the principle of least privilege reduces the potential damage when an entity is compromised by an attacker: so for example, if a team member's account is compromised, then the damage that the attacker can do is limited by the privileges that were granted to that team member.

files/en-us/learn_web_development/core/frameworks_libraries/svelte_typescript/index.md

@@ -215,7 +215,7 @@ And if you pass something that is not a number, it will complain about it:
 
 ![Type checking in VS Code - the ms variable has been given a non-numeric value](06-vscode-type-checking-in-components.png)
 
-The application template has a `check` script configured that runs `svelte-check` against your code. This package allows you to detect errors and warnings normally displayed by a code editor from the command line, which makes it pretty useful for running it in a continuous integration (CI) pipeline. Just run `npm run check` to check for unused CSS, and return A11y hints and TypeScript compile errors.
+The application template has a `check` script configured that runs `svelte-check` against your code. This package allows you to detect errors and warnings normally displayed by a code editor from the command line, which makes it pretty useful for running it in a {{glossary("continuous integration")}} (CI) pipeline. Just run `npm run check` to check for unused CSS, and return A11y hints and TypeScript compile errors.
 
 In this case, if you run `npm run check` (either in the VS Code console or terminal) you will get the following error:
 

files/en-us/learn_web_development/extensions/server-side/express_nodejs/skeleton_website/index.md

@@ -401,7 +401,7 @@ npm install
 ```
 
 > [!NOTE]
-> It is a good idea to regularly update to the latest compatible versions of your dependency libraries — this may even be done automatically or semi-automatically as part of a continuous integration setup.
+> It is a good idea to regularly update to the latest compatible versions of your dependency libraries — this may even be done automatically or semi-automatically as part of a {{glossary("continuous integration")}} setup.
 >
 > Usually library updates to the minor and patch version remain compatible.
 > We've prefixed each version with `^` above so that we can automatically update to the latest `minor.patch` version by running:

files/en-us/learn_web_development/extensions/testing/introduction/index.md

@@ -130,7 +130,7 @@ Finally, you can get smarter with your testing using auditing or automation tool
 - see if a button click causes something to happen successfully (like for example, a map displaying), displaying the results once the tests are completed
 - take a screenshot of each, allowing you to see if a layout is consistent across the different browsers.
 
-If you wish to invest money in testing, there are also commercial tools that can automate much of the setup and testing for you (such as [Sauce Labs](https://saucelabs.com/) and [Browser Stack](https://www.browserstack.com/)). These kinds of tools usually enable a continuous integration workflow, where code changes are automatically tested before they are allowed to be submitted into your code repository.
+If you wish to invest money in testing, there are also commercial tools that can automate much of the setup and testing for you (such as [Sauce Labs](https://saucelabs.com/) and [Browser Stack](https://www.browserstack.com/)). These kinds of tools usually enable a {{glossary("continuous integration")}} workflow, where code changes are automatically tested before they are allowed to be submitted into your code repository.
 
 #### Testing on prerelease browsers
 

files/en-us/learn_web_development/extensions/testing/your_own_automation_environment/index.md

@@ -795,7 +795,7 @@ So this is pretty cool. We have tested this locally, but you could set this up o
 
 ## Integrating Selenium with CI tools
 
-As another point, it is also possible to integrate Selenium and related tools like LambdaTest, and Sauce Labs with continuous integration (CI) tools — this is useful, as it means you can run your tests via a CI tool, and only commit new changes to your code repository if the tests pass.
+As another point, it is also possible to integrate Selenium and related tools like LambdaTest, and Sauce Labs with {{glossary("continuous integration")}} (CI) tools — this is useful, as it means you can run your tests via a CI tool, and only commit new changes to your code repository if the tests pass.
 
 It is out of scope to look at this area in detail in this article, but we'd suggest getting started with Travis CI — this is probably the easiest CI tool to get started with and has good integration with web tools like GitHub and Node.
 

files/en-us/learn_web_development/getting_started/environment_setup/command_line/index.md

@@ -464,7 +464,7 @@ With Prettier there's a number of ways automation can be achieved and though the
 
 - Before you commit your code into a git repository using [Husky](https://github.com/typicode/husky).
 - Whenever you hit "save" in your code editor, be it [VS Code](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode), or [Sublime Text](https://packagecontrol.io/packages/JsPrettier).
-- As part of continuous integration checks using tools like [GitHub Actions](https://github.com/features/actions).
+- As part of {{glossary("continuous integration")}} checks using tools like [GitHub Actions](https://github.com/features/actions).
 
 Our personal preference is the second one — while using say VS Code, Prettier kicks in and cleans up any formatting it needs to do every time we hit save. You can find a lot more information about using Prettier in different ways in the [Prettier docs](https://prettier.io/docs/).
 

files/en-us/web/accessibility/guides/information_for_web_authors/index.md

@@ -41,7 +41,7 @@ Tools to integrate into your build process, programmatically adding accessibilit
 - [Lighthouse Audits](https://github.com/GoogleChrome/lighthouse/blob/main/docs/readme.md#using-programmatically)
 - [AccessLint.js](https://github.com/accesslint/accesslint.js/tree/master)
 
-Continuous integration tools to find accessibility issues in your GitHub pull requests:
+{{glossary("Continuous integration")}} tools to find accessibility issues in your GitHub pull requests:
 
 - [AccessLint](https://accesslint.com/)