How would you break down an application architecture to identify potential entry points for attackers at Moody's?