I've got to write a standard for our developers and application guys to work to.

They should ensure that all public facing information systems (websites or other apps available from the web) are tested and reasonably secure against input validation attacks.

I don't know whether to keep it at a high level (basically the line above) or if I should detail the sort of testing that should take place and reponses to discovered vulnerabilties.

Anyone care to share the sorts of standards they work under?