System and method for vulnerability risk analysis

What is claimed is: 1. A method for analyzing risk, the method comprising: accessing, within an electronic system, host configuration information of a host; querying a vulnerability database based on said host configuration information; receiving a list of vulnerabilities, wherein said list of vulnerabilities corresponds to vulnerabilities of said host; accessing a plurality of vulnerability scores for said host and at least one software product of said host, wherein said plurality of vulnerability scores measure access vulnerability and vulnerability impact, and wherein said host and said at least one software product of said host are respectively associated with more than one of said plurality of vulnerability scores; determining a composite risk score for at least one of said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said composite risk score measures at least in part a severity reflecting that an exploited vulnerability is needed by an attacker to compromise at least one of said host and said at least one software product of said host, and wherein said composite risk score is based on a highest vulnerability score among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host; determining an aggregate risk score for at least one of said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said aggregate risk score measures at least in part a number of options available to said attacker for compromising at least one of said host and said at least one software product of said host, and wherein said aggregate risk score is based on a summation among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host; generating a graph representing said at least one software product of said host, wherein nodes of said graph represent software states of said at least one software product, wherein edges of said graph represent vulnerabilities detected in said at least one software product, wherein a path through said graph begins at a start node having relatively lower access vulnerability, and wherein said path ends at an end node having relatively higher vulnerability impact; and determining a risk score based on said path through said graph and at least one of said composite risk score and said aggregate risk score. 2. The method of claim 1 wherein said host configuration information comprises information about a plurality of software applications and an operating system. 3. The method of claim 1 further comprising: querying a fixes database based on said list of vulnerabilities; receiving a list of fixes; and checking said list of fixes against said host configuration information. 4. The method of claim 3 further comprising: determining a software product contributing the most risk to an enterprise. 5. The method of claim 4 further comprising: determining a host contributing the most risk to said enterprise. 6. The method of claim 5 further comprising: determining a vulnerability contributing the most risk to said enterprise. 7. The method of claim 1 wherein said vulnerability database is a National Vulnerability Database (NVD). 8. The method of claim 1 wherein said vulnerability scores comprise Common Vulnerability Scoring System (CVSS) scores. 9. A non-transitory computer readable storage medium having stored thereon, computer executable instructions that, if executed by a computer system cause the computer system to perform a method of risk analysis comprising: accessing, within an electronic system, host configuration information of a host; querying a vulnerability database based on said host configuration information; receiving a list of vulnerabilities, wherein said list of vulnerabilities corresponds to vulnerabilities of said host; accessing a plurality of vulnerability scores for said host and at least one software product of said host, wherein said plurality of vulnerability scores measure access vulnerability and vulnerability impact, and wherein said host and said at least one software product of said host are respectively associated with more than one of said plurality of vulnerability scores; determining a composite risk score for at least one of said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said composite risk score measures at least in part a severity reflecting that an exploited vulnerability is needed by an attacker to compromise at least one of said host and said at least one software product of said host, and wherein said composite risk score is based on a highest vulnerability score among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host; determining an aggregate risk score for said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said aggregate risk score measures at least in part a number of options available to said attacker for compromising at least one of said host and said at least one software product of said host, and wherein said aggregate risk score is based on a summation among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host; generating a graph representing said at least one software product of said host, wherein nodes of said graph represent software states of said at least one software product, wherein edges of said graph represent vulnerabilities detected in said at least one software product, wherein a path through said graph begins at a start node having relatively lower access vulnerability, and wherein said path ends at an end node having relatively higher vulnerability impact; and determining a risk score based on said path through said graph and at least one of said composite risk score and said aggregate risk score. 10. The computer readable storage medium of claim 9 , wherein said host configuration information comprises information about a plurality of software applications and an operating system. 11. The computer readable storage medium of claim 9 , wherein said method further comprises: querying a fixes database based on said list of vulnerabilities; receiving a list of fixes; and checking said list of fixes against said host configuration information. 12. The computer readable storage medium of claim 9 , wherein said method further comprises: determining a software product contributing the most risk to an enterprise. 13. The computer readable storage medium of claim 9 , wherein said method further comprises: determining a host contributing the most risk to said enterprise. 14. The computer readable storage medium of claim 9 , wherein said method further comprises: determining a vulnerability contributing the most risk to said enterprise. 15. The computer readable storage medium of claim 9 , wherein said vulnerability scores comprise Common Vulnerability Scoring System (CVSS) scores. 16. The computer readable storage medium of claim 9 , wherein said vulnerability database is a National Vulnerability Database (NVD). 17. A system comprising: a host configuration access module for acces