Offshoring - OutSourcing - Inhouse
Does any of it matter?
Each is liable as a security risk - and the risk tends to run depending upon how you reward the coders. People are more likely to backdoor you if you get the rewards mix wrong.
It is about trust, unless you are willing to wade in and crack out the code yourself.
That is why developer lead companies for software security do well technically, whilst marketing lead security companies use scare tactics.
I would say that offshoring is a bit daft, because you lose legal recourse and loyalty is near zero.
Inhouse, well that is a threat if you treat your development team badly, and don't give them a stake in the product.
OutSourcing hmm, well depends how you do it, if you hire contractors and give them a stake you will be ok. If you hire an outsourcing company who gets the stake, but their developers don't then you are close to offshoring again.
It boils down to trust and having a stake in the success of the product. If the code is open you can at least review it properly, though the cost of review can be prohibitive, and who is to say the reviewers may not introduce backdoors.
It does amuse me that they say it doesn't matter if they can see the source code or not. I would want that explained fully, because it sounds to me like some marketing dweeb asked a developer if source code was necessary to check for security holes, and got bored as the developer went into how IDA Pro worked. A debugger or disassembler, is no substitute for source code, and in many cases is now illegal to apply.