Authenticated assessment of network system assets

What is claimed is: 1. A method comprising: performing, by a scan assistant on an asset of a network: establishing a transport layer security (TLS) connection with a scan engine on a device having electronic communication with the asset using TLS protocol, wherein the asset comprises at least one computing resource, wherein the scan engine is configured to use the scan assistant to perform scans of the asset based on a communication protocol, wherein the scan assistant provides the scan engine access to perform the scans, and wherein the establishing of the TLS connection comprises the scan assistant: receiving a public certificate from the scan engine; and authenticating the scan engine to execute scan operations on the asset based on verifying the public certificate from the scan engine with a certificate authority stored on the asset; receiving, from the scan engine, one or more scan operations to execute on the asset according to the communication protocol; executing the one or more scan operations on the asset to obtain results reflecting a state of the asset; and sending the results to the scan engine according to the communication protocol. 2. The method of claim 1 , wherein the one or more scan operations specify operating system commands to collect information about the asset. 3. The method of claim 1 , further comprising the scan assistant establishing different TLS connections with different scan engines according to different TLS protocol versions. 4. The method of claim 1 , wherein the scan engine stores different pairs of public certificates and private keys associated with different assets, and the different pairs of public certificates and private keys are used to establish TLS connections with the different assets. 5. The method of claim 1 , further comprising the scan assistant: generating a second public certificate and a second private key pair associated with the scan assistant; and sending the second public certificate of the scan assistant to the scan engine as part of a two-way certificate authentication, wherein the second public certificate and second private key pair is generated when the asset is rebooted or the scan assistant is started as a service on the asset, and wherein the scan engine is configured to authenticate the scan assistant without verifying the second public certificate from the scan assistant with a second certificate authority. 6. The method of claim 1 , further comprising the scan assistant: storing a signed second public certificate and a second private key pair on the asset; and sending the signed second public certificate to the scan engine; wherein the scan engine is configured to authenticate the scan assistant based on verifying the signed second public certificate from the scan assistant with a second certificate authority stored on the scan engine. 7. The method of claim 6 , further comprising the scan engine: receiving, from the scan assistant, the signed second public certificate; and verifying the scan assistant based on the signed second public certificate using the second certificate authority stored on the scan engine. 8. The method of claim 7 , wherein the scan engine is configured to use different certificate authorities to verify public certificates of different scan assistants. 9. The method of claim 1 , wherein the TLS connection is established using a one-way certificate authentication. 10. The method of claim 1 , wherein the TLS connection is established using a two-way certificate authentication. 11. The method of claim 1 , wherein the communication protocol is used by the scan engine to request data stored on the asset or query information about the asset. 12. The method of claim 1 , wherein the communication protocol is used by the scan engine to execute commands on the asset. 13. A system comprising: a memory that stores program instructions; and one or more processor that executes the program instructions to implement a scan assistant on an asset, the scan assistant configured to: establish a transport layer security (TLS) connection with a scan engine on a device having electronic communication with the asset using TLS protocol, wherein the asset comprises at least one computing resource, wherein the scan engine is configured to use the scan assistant to perform scans of the asset based on a communication protocol, wherein the scan assistant provides the scan engine access to perform the scans, and wherein to establish the TLS connection the scan assistant is configured to: receive a public certificate from the scan engine; and authenticate the scan engine to execute scan operations on the asset based on verifying the public certificate from the scan engine with a certificate authority stored on the asset; receive, from the scan engine, one or more scan operations to execute on the asset according to the communication protocol; execute the one or more scan operations on the asset to obtain results reflecting a state of the asset; and send the results to the scan engine according to the communication protocol. 14. The system of claim 13 , wherein the one or more scan operations specify to execute one or more shell scripts on the asset. 15. The system of claim 13 , wherein the certificate authority comprises a self-signed public certificate signed using a private key of the scan engine. 16. The system of claim 13 , wherein the scan assistant is configured to: generate a second public certificate and a second private key pair associated with the scan assistant; and send the second public certificate of the scan assistant to the scan engine as part of a two-way certificate authentication, wherein the second public certificate and second private key pair is generated when the asset is rebooted or the scan assistant is started as a service on the asset, and wherein the scan engine is configured to authenticate the scan assistant without verifying the second public certificate from the scan assistant with a second certificate authority. 17. The system of claim 13 , wherein the scan assistant is configured to: store a signed second public certificate and a second private key pair on the asset; and send the signed second public certificate to the scan engine; wherein the scan engine is configured to authenticate the scan assistant based on verifying the signed second public certificate from the scan assistant with a second certificate authority stored on the scan engine. 18. A non-transitory, computer-readable storage medium storing program instructions that when executed by one or more processors, cause the one or more processors to implement a scan assistant on an asset, the scan assistant configured to: establish a transport layer security (TLS) connection with a scan engine on a device having electronic communication with the asset using TLS protocol, wherein the asset comprises at least one computing resource, wherein the scan engine is configured to use the scan assistant to perform scans of the asset based on a communication protocol, wherein the scan assistant provides the scan engine access to perform the scans wherein to establish the TLS connection the scan assistant is configured to: receive a public certificate from the scan engine; and authenticate the scan engine to execute scan operations on the asset based on verifying the public certificate from the scan engine with a certificate authority stored on the asset; receive, from the scan engine, one or more scan operations to execute on the asset according to the communication