There are two sides to security. The first is related to properly configuring access to content and functionality for authorized users.

The second is making sure that hackers are not able to exploit flaws in the implementation to gain unauthorized access to content and functionality.

When it comes to Kentico Xperience with MVC development you need to consider the following:

• User permissions and access control lists (ACLs)
• Proper configuration of controllers/views/page builder widgets
• Sanitization of user input to SQL injections and cross site scripting attacks
• Secure data storage/transfer

Kentico administration UI and APIs make it easy for you to secure your application by providing an easy to use UI, some automatic protections, and tools to make sure you are able to easily secure your code.

Many times, developers primarily focus on just making sure what they build is functional. This can lead to scalability issues, higher running costs, or even dissatisfied users.

Kentico does a lot of optimization automatically, and provides lots of ways to get better performance out of your project with features like:

• Caching in MVC
• APIs that can be fine tuned to retrieve only the necessary data.
• Built in debugging tools allow easy access and visibility into the inner workings of the system.

It's important to note that while Kentico Xperience does a lot of things automatically, it can be very easy to introduce performance issues. Here are a few practices to keep in mind as you develop:

• Introduce as few (ideally zero) SQL queries as possible.
• Make sure that you have a caching strategy and that it is working.
• Review the performance of your custom code using the debugging tools in the administration interface.
• Review how the project is configured, as some options like analytics and online marketing features can add some overhead to requests (only enable what you need).
• Consider first page load time as well as primed cache load time.
• Consider integrating third-party tools to gain further improvements such as minifying your HTML with WebMarkupMin. 

When building something new, you need to consider what it depends on (data structures, third party APIs, etc.) and what will depend on it (templates, custom modules, etc.).

It is important to plan how what you are building will interact with its dependencies in order to avoid re-work or extra effort. This is also important when considering how to deploy new features/functionality down the line.

Some examples of dependencies to think about in Kentico Xperience include:

• Page types, content, and components needed before being able to build a page.
• Cache dependencies being configured properly.
• Code files and resource strings for a custom module class needed before developing module UI.
• Third party libraries must be available in .NET or as a web API before you can interact with them inside a Kentico project.
• Relationships between custom built features must be understood.

Whether the project will be maintained by the same team or not, implementations should be created with future maintenance in mind.

If something is built sloppily the first time, maintenance can easily be exponentially more costly. It is important to consider every aspect of what you are developing when it comes to maintainability.

For example, you will want to pay attention to some of the following things in Kentico:

• Name code files appropriately (e.g. use the class name of the class contained in the file).
• Use Kentico's logging APIs to log success/failure/warning/information appropriately.
• Consider refactoring large methods and using abstraction layers to make code readable and reusable.
• Use built-in extensibility points such as global events or providers.
• Use an appropriate naming convention to avoid collisions with system objects, especially during upgrades/hotfixes (e.g. prefix things with an abbreviated version of the site/project name).

This applies to both editors and visitors. Your solutions should be built with ease of use in mind. Your editors will have an easier time keeping the site up to date, and your visitors will be more engaged.

Some examples of how you can create a good experience for editors and visitors are:

• Utilize MVC widgets rather than page type content only for personalization and/or AB testing to allow your editors to have more flexibility when creating a page.
• Build integrations that require simple interaction or are automatically run.
• Utilize custom modules to extend the system in a complex way while maintaining a consistent and easy to use user interface for editors.
• Don't require more information than necessary from visitors.
• Provide visitors with a customized experience based on their history or context.
• Make it easy for visitors to fall into the pit of success.
• Consider page load times for visitors (the faster the better).

Projects are very rarely built once and never extended. Thinking about how a feature might need to be enhanced in the future can help save effort and time in the future.

However, do bear in mind that there is a need to balance the effort/time with the project's budget/timeline. Be sure to think about:

• Consider how data will grow and change in the future.
• Think about future integrations or features that need to be added.

Consider building on Kentico built in extensibility points to help with this process:

• Use custom modules.
• Investigate event handlers.
• Look for providers to override/extend.