I far prefer the French approach to April Fool’s with their Poisson D’Avril – slap a paper fish on the back of an unsuspecting victim.
Much like appsec slaps a bunch of checklists on unsuspecting code.
But maybe the joke’s on us?
After all, we still have CVEs week after week after week.
Maybe it’s the term appsec itself – it starts with apps and whatever good intentions you might have, but it nevertheless always ends in C.