[MattGaiser]

What kind of a thing is this?

Is there a reason you couldn't simply act as the user and test it out? Most QAs I have worked with have not been technical either.

[highwayman47]

What if it's sensitive data, and just want to make sure it's secure - not necessarily saying the dev is malicious, but maybe need a 2nd pair of eyes on security, etc.

[solardev]

Then you shouldn't trust the dev or a random second pair of eyes either, but probably get an independent security audit from a professional cybersec auditor, and even then, have insurance and a plan in mind for when leaks/hacks occur (they will, once you're big enough scale).

Security is something that even professional devs get wrong all the time and why the industry has vulnerability disclosure processes (https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability...), listings (https://cve.mitre.org/), and entire groups that try to find them before the blackhats do (https://googleprojectzero.blogspot.com/)

If you just want "good enough" security for a side project or whatever, then using standard libs & algorithms (NOT inventing your own) is usually a good bet. As a layperson you probably can't evaluate the security knowledge of a developer. Most developers can't even evaluate that of other devs. Security is a specific specialty that most devs only know the very basics of (if even that).