How do you conduct threat modeling for a new web application interacting with an external API at Becton Dickinson?