As much as I get push back by saying since AI, I never look at the code and I can still be sure it meets the functional and non functional requirements, no one has been able to dispute my methodology.

For functional requirements I review both the unit and more often the integration tests and make sure they align with the requirements.

For security, I validate the API endpoints can’t be accessed without authentication and these days I use Amazon Cognito.

The host environment - lambda, EC2, Docker runtime (ECS/EKS) have IAM roles attached with least privilege.

Then someone asked about multi tenancy and RBAC. Since mostly I deal with B2B clients with large business customers, each customer gets their own AWS account.

For RBAC, DynamoDB and Postgres at least on AWS both have Row level security that you can tie to a user or group - again authorized by Cognito or IAM. Even if the code does miss something - it’s still protected.

The database itself doesn’t have access to the outside world and if I can, I don’t even assign a user to the database and use the AWS Data API when possible that uses the AWS Control plane and IAM. If I do end up using a database use - it again has leash privilege.

Of course UX and UI testing has to be done manually.

I do carefully review the “works on my machine” and “works with small dataset” footguns - like concurrency implementations and I also have scalability tests.