Debunking the AppSec Silver Bullet Myth