A study into 11 popular open source applications suggests that enterprises are underestimating the security risks of using the code.

Security vendor Fortify studied the applications, including JBoss and OpenCMS, and found a number of security problems which it partly blames on poor security practices and processes by open source programmers.

"Security best practices are a low priority to the open source projects surveyed," said Fortify's Open Source Security Study.

"Open source packages often claim enterprise-class capabilities but are not adopting, or even considering, industry best security practices. Only a few open source development teams are moving in the right direction."

Mozilla was highlighted as the open source project that took security most seriously, but the report found that many other projects were not building in efficient security in the design and implementation of software.

The report highlighted three features that Fortify considers vital for enterprise software security: proper documentation; access to security coders within the development group; and a clear point of contact for security questions.

Only two of the packages reviewed offered a link to security documentation, three gave access to security coders and only one, Tomcat, had a dedicated security email.

"Most open source communities do not follow enterprise-level change control standards," said Jennifer Bayuk, an independent security consultant and former chief information security officer at Bear Stearns.

"There is a hidden cost for the enterprise in using open source because they have to test and patch for security bugs that they do not anticipate."

The study also looked at the patching lifecycle and highlighted serious concerns with some applications for which patches can take up to a year to be issued. Hipergate's CRM applications faired particularly poorly in this respect.