Other really good requirements that aren't generic enough to be part of the project but that might be what you're looking for in YOUR environment

DNS

 * 1) No internal hostnames or addresses will be published on internet-facing DNS servers

Network Equipment

 * 1) Management interfaces will never be on internet-facing interfaces
 * 2) Egress-blocking will be strictly enforced in DMZs. Only necessary traffic will be permitted to be initiated outbound.

Windows

 * 1) All Windows systems will be members of a dedicated DMZ domain/forest

iPhone Tips and Requirements

 * 1) I have no idea but there's probably SOMETHING
 * 2) Maybe "checks for jailbreak and won't install"

Java

 * 1) Will adhere to ESAPI guidelines, standards, and code to the maximum extent possible.

.Net

 * 1) Will adhere to .Net ESAPI guidelines, standards, and code to the maximum extent possible.

PHP

 * 1) Shall be discarded in favor of dang near anything else