Software developers get SWAMP’ed, and that’s good for software security assurance