"OpenVAS/OVAL/co. are completely different from debsecscan"... from a security-oriented perspective: okay, but otherwise, I am not so sure.
If you have a security-oriented administrator, the distinction really matters (especially for an audit). However, he has already paid attention to both tools output and has probably already done enough to secure/audit the system. For him, the problem is more to assist in managing the tools output (especially over time) in order to get proper credit for his security work. (It would probably be nice too to have some evidence that unfixed issues are due to external causes; at least to neutralize liability where it matters.) And combine with intrusion detection too. (Starts to get a big thing, fortunately, you have a security administrator there to help...)
The average administrator may not make so much distinction between OpenVAS and debsecscan; he will take whatever tool is easier for him and the less intrusive (probably debsecscan then). However, he will need results carefully targetted at its level of knowledge and availability and very well justified (ie.: this is critical, really, or this is extremely easy, really).
IMHO, none of the tools adequately fills one of the two niches. One problem I see is that a third niche (regular administrator with time for security-oriented work) may simply not exist. However, many of our tools seem to work for that niche; hence the flow of "read-click-and-forget" things with security in the last decade, with their (predictable) cohort of "forgot to click" issues (along with "never reading anyway" or the rarer "read it all until late at night and then left in a hurry without clicking").
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds